Lumma Stealer announced an update at September 14th, announcing a new exfiltration method on its builds.
Endpoints /c2sock and /c2conf were changed by POST request to a common endpoint for both purposes, /api via form parameters.
rule detection is currently 0, altough lumma builds are attempting to bypass sandbox analysis. I believe new rules has to be written in order to keep track on this major threat.
Failed detonation (Detection by memory dumps)
Analysis https://randsoms.click Malicious activity - Interactive analysis ANY.RUN
PCAP extracted from Triage | Malware sandboxing report by Hatching Triage
Thanks in advance