{"id":106184,"date":"2025-05-22T15:36:13","date_gmt":"2025-05-22T19:36:13","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=106184"},"modified":"2025-05-22T15:46:46","modified_gmt":"2025-05-22T19:46:46","slug":"infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/","title":{"rendered":"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise?"},"content":{"rendered":"<p>Information stealer or \u2018<strong>infostealer<\/strong>\u2019 malware is used by threat actors to harvest login items, such as cookies, credentials, and session tokens, as well as cryptocurrency wallets and credit card information from victims. Then, they are typically packaged as \u2018logs\u2019 and sold in dark web marketplaces.<\/p>\n<p>Ransomware, financial fraud, and corporate espionage are common follow-on activities leveraging this stolen data \u2014 which fuels an underground economy and poses substantial risks to organizations.<\/p>\n<p>Lumma stealer was the undisputed leader in the infostealer category until yesterday when Microsoft identified <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2025\/05\/21\/microsoft-leads-global-action-against-favored-cybercrime-tool\/\" target=\"_blank\" rel=\"noopener\">almost 400,000 computers<\/a> infected with the malware. A large law enforcement operation shut down more than 1,300 domains used as its command and control (C2).<\/p>\n<p>This opens up two possibilities:<\/p>\n<ul>\n<li>The operators of Lumma stealer may rebuild their infrastructure and return. After a takedown, operators often want to avoid the spotlight, but it\u2019s not uncommon for criminal infrastructure disrupted by law enforcement to return after some time. <a href=\"https:\/\/www.forescout.com\/resources\/emotet-threat-briefing\/\">Emotet<\/a> is one of the best examples.<\/li>\n<li>Other infostealers may take Lumma\u2019s place, since there are several alternatives in underground markets. A big player, such as Formbook, could rise to the top or several smaller ones may share parts of this market.<\/li>\n<\/ul>\n<p>Here, we give an overview on the history of infostealers, underscore the increasing risks posed by a \u2018rising star,\u2019 the <strong>Rhadamanthys<\/strong> infostealer, and discuss how threat actors distribute logs collected by several infostealers in the same forums. The actual infostealer malware is just a means to an end.<\/p>\n<h2>A Brief History of Infostealer Malware<\/h2>\n<p>Infostealer technology is not new. This type of malware is usually distributed as a service, sold via a monthly subscription that provides access to C2 servers.<\/p>\n<p><a href=\"https:\/\/www.forescout.com\/resources\/formbook-infostealer\/\">Formbook<\/a>, for instance, has been sold in various malware-as-a-service packages on hacking forums since 2016. By 2023, infostealers were already very common with established names, such as <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.raccoon\" target=\"_blank\" rel=\"noopener\">Raccoon<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.redline_stealer\" target=\"_blank\" rel=\"noopener\">RedLine<\/a>, and <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.vidar\" target=\"_blank\" rel=\"noopener\">Vidar<\/a>. But that year, we <a href=\"https:\/\/www.forescout.com\/resources\/2023h1-threat-review\/\">observed a rise in the popularity<\/a> of more recent infostealers, such as <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.mystic_stealer\" target=\"_blank\" rel=\"noopener\">Mystic<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.aurora_stealer\" target=\"_blank\" rel=\"noopener\">Aurora<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.misha\" target=\"_blank\" rel=\"noopener\">Misha<\/a>, and <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.titan_stealer\" target=\"_blank\" rel=\"noopener\">Titan<\/a>.<\/p>\n<p>Today, infostealers are a cornerstone of cybercrime \u2014 alongside RATs, botnets, ransomware, and C2 frameworks. In our <a href=\"https:\/\/www.forescout.com\/resources\/2024-global-threat-roundup-report\/\">2024 Threat Roundup<\/a>, we showed how infostealers became the most common malware type last year. We also reported on Lumma stealer becoming the most active infostealer.<\/p>\n<p><a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/clickfix-attacks-sector-alert-tlpclear.pdf\" target=\"_blank\" rel=\"noopener\">ClickFix campaigns<\/a> are now the most recent advancement in infostealer delivery. ClickFix, also called ClearFix, attacks involve social engineering end-users into copying and executing malicious commands (usually PowerShell) provided by the attacker. These campaigns have been observed since the second half of 2024 and have been gaining popularity in 2025.<\/p>\n<p>Once delivered, infostealer malware often operates in stealth, running in the background and sending the stolen data to a remote server controlled by the attacker.<\/p>\n<p>Lumma Stealer was being delivered via ClickFix attacks since <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/clickfix-attacks-sector-alert-tlpclear.pdf\" target=\"_blank\" rel=\"noopener\">at least September 2024<\/a>, but we recently observed campaigns delivering another stealer via similar methods: Rhadamanthys.<\/p>\n<h2>ClickFix Delivery: Rhadamanthys Stealer<\/h2>\n<p>We have observed threat actors using ClickFix attacks to deliver the Rhadamanthys infostealer.<\/p>\n<p>The attacks leveraged a combination of mshta.exe \u2013 a native executable that runs Microsoft HTML Application (HTA) script code \u2013 along with a malicious URL and an authentication code. This combination, shown below, ultimately leads to the delivery of the stealer.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106193\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Commandline-1.png\" alt=\"Infostealer Commandline\" width=\"2071\" height=\"247\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Commandline-1.png 2071w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Commandline-1-300x36.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Commandline-1-1024x122.png 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Commandline-1-768x92.png 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Commandline-1-1536x183.png 1536w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Commandline-1-2048x244.png 2048w\" sizes=\"auto, (max-width: 2071px) 100vw, 2071px\" \/><\/p>\n<p>To lure victims into executing this command, the attackers crafted targeted spearphishing emails with instructions for the user to follow under the guise of verification. Here is an example spearphishing e-mail and its verification steps:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106192\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Windows-command-2.png\" alt=\"Infostealer Windows Command\" width=\"936\" height=\"352\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Windows-command-2.png 936w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Windows-command-2-300x113.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Windows-command-2-768x289.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106191\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Cloudflare-3.jpg\" alt=\"Infostealer Cloudflare\" width=\"936\" height=\"510\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Cloudflare-3.jpg 936w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Cloudflare-3-300x163.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Cloudflare-3-768x418.jpg 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/p>\n<p>Behind the scenes, an obfuscated malicious PowerShell script is executed for further delivery of the payload. The script has three stages.<\/p>\n<h2>First Stage<\/h2>\n<p>The observed command, shown in the figure below, begins by invoking the PowerShell executable with the -w 1 argument, which sets the window style to minimal. This means that the PowerShell window runs in the background without a user interface, making it invisible to the user.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106189\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-encoding-4.png\" alt=\"Infostealer Encoding\" width=\"936\" height=\"676\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-encoding-4.png 936w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-encoding-4-300x217.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-encoding-4-768x555.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/p>\n<p>Next, $adz is a variable assignment where the obfuscated data is processed:<\/p>\n<ul>\n<li><code>[text.encoding]::ascii.getbytes(...)<\/code> converts a string of characters into ASCII bytes.<\/li>\n<li><code>sort-object { get-random -setseed 1966181726 }<\/code>: The byte array is then randomly sorted using a fixed seed value. This makes the data appear scrambled, serving as a basic obfuscation technique to hide its true meaning.<\/li>\n<li><code>[text.encoding]::ascii.getstring(...)<\/code>: After sorting, the byte array is converted back into a string, which is now obfuscated and harder to interpret at first glance.<\/li>\n<\/ul>\n<p>The final goal is to get to the next stage payload, which is also a PowerShell command.<\/p>\n<h2>Second Stage<\/h2>\n<p>The command is a Base64-encoded PowerShell script. The <code>-e<\/code> flag tells PowerShell to decode the encoded string and execute it as a script. The string (<code>zgb1ag4aywb0agkabwbuacaacq\u2026<\/code>) is an obfuscated payload.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106188\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-command-line-6.png\" alt=\"Infostealer Command Line\" width=\"936\" height=\"402\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-command-line-6.png 936w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-command-line-6-300x129.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-command-line-6-768x330.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/p>\n<p>This PowerShell command uses two layers of obfuscation, First, it contains a Base64-encoded string, and then it decodes the result using UTF-32 format to reveal the actual command as shown below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106190\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-7.png\" alt=\"Infostealer Commandline\" width=\"936\" height=\"96\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-7.png 936w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-7-300x31.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-7-768x79.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/p>\n<p>The next file downloaded in Stage 2 is approximately 10 MB in size and protected using the commercial obfuscator Agile.NET, which applies techniques such as entity renaming and control flow obfuscation.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106187\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-8.png\" alt=\"Infostealer Commandline\" width=\"936\" height=\"466\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-8.png 936w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-8-300x149.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/infostealer-commandline-8-768x382.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/p>\n<p>After execution, it connects to the C2 server to download the final payload on <code>https:\/\/bird[.]stone-apple-vine[.]pro\/ukk6dd9hy825.bin<\/code><\/p>\n<h2>Final Payload<\/h2>\n<p>The downloaded payload is the Rhadamanthys stealer v0.7.0. The stealer harvests a wide range of sensitive data, including system information, credentials, browser passwords, cookies, and cryptocurrency wallet contents. Its data collection capabilities are extensive. They target both mainstream applications\u2014such as Google Chrome\u2014and niche software, such as the Pale Moon browser and Auvitas Wallet.<\/p>\n<p>Upon infection, Rhadamanthys automatically exfiltrates harvested data to its C2 infrastructure while also enabling threat actors to deploy additional extensions or execute custom commands on compromised systems. What sets Rhadamanthys apart is its modular architecture allowing for continuous feature expansion and rapid adaptation. Its extensibility and frequent updates make it a highly effective tool in the cybercriminal arsenal.<\/p>\n<p>Rhadamanthys has stage-based execution architecture:<\/p>\n<ul>\n<li><strong>Stage 1 \u2013 Loader Initialization<\/strong><br \/>\nRhadamanthys begins its execution by embedding and executing Stage 2 shellcode within the <em>.textbss<\/em> section of the host Portable Executable (PE) file. This stage is responsible for initializing the unpacking process and transitioning execution to the next phase.<\/li>\n<li><strong>Stage 2 \u2013 System Preparation and C2 Communication<\/strong><br \/>\nIn this stage, the malware prepares the infected environment by:\n<ul>\n<li>Getting machine and process information.<\/li>\n<li>Performing process injection.<\/li>\n<li>Unhooking security-related APIs.<\/li>\n<li>Running evasion checks.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Stage 3 \u2013 Data Theft and Exfiltration<\/strong><br \/>\nIn the last stage, the stealer:\n<ul>\n<li>Collects browser credentials, system information, crypto wallet data.<\/li>\n<li>Activates image\/OCR-based modules for advanced data targeting.<\/li>\n<li>Loads additional plug-ins (extensions).<\/li>\n<li>Exfiltrates all gathered data to the C2 server.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Other notable features of the malware include:<\/p>\n<ul>\n<li><strong>MSI-Based Payload Execution<\/strong><br \/>\nAn upgrade in v0.7.0 is the ability to disguise and execute payloads as MSI (Microsoft Installer) files. This is done by:\n<ul>\n<li>Writing a malicious .msi to %LOCALAPPDATA%\\Microsoft\\.<\/li>\n<li>Executing it using the ShellExecuteExW API.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Mutex-Based Kill Switch<\/strong><br \/>\nTo ensure only one active instance, Rhadamanthys creates uniquely formatted mutexes based on a SHA-1 hash of a hardcoded byte sequence.<\/li>\n<li><strong>Re-Execution Delay Mechanism<\/strong><br \/>\nRhadamanthys uses an encrypted timestamp stored in the Windows Registry to avoid re-executing within a set timeframe.<\/li>\n<\/ul>\n<h2>Lessons from Lumma Stealer: Log Distribution and TTPs<\/h2>\n<p>The figure below summarizes the evolution of Lumma Stealer from its inception until the takedown yesterday. This infostealer appeared at the end of 2022 but rapidly became the dominant player in this category. The malware now includes capabilities, such as <a href=\"https:\/\/github.com\/S3cur3Th1sSh1t\/Amsi-Bypass-Powershell\" target=\"_blank\" rel=\"noopener\">AMSI bypass<\/a>, process hollowing, code flow obfuscation, encrypted C2 communications, and persistence via registry modifications, as well as DLL sideloading.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106185\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/LUMMA-Stealer-Evolution-scaled.png\" alt=\"LUMMA Stealer Evolution\" width=\"2560\" height=\"1446\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/LUMMA-Stealer-Evolution-scaled.png 2560w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/LUMMA-Stealer-Evolution-300x169.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/LUMMA-Stealer-Evolution-1024x578.png 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/LUMMA-Stealer-Evolution-768x434.png 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/LUMMA-Stealer-Evolution-1536x868.png 1536w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/LUMMA-Stealer-Evolution-2048x1157.png 2048w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><\/p>\n<p>Threat actors using the malware also evolved their distribution tactics from traditional cracked software to ClickFix campaigns employing various initial access techniques and multi-stage delivery chains, such as the one we presented above for Rhadamanthys.<\/p>\n<p>These actors were leveraging multiple legitimate platforms for malware distribution including Google Drive, GitHub, X, YouTube and Telegram.<\/p>\n<p>Stolen credentials were then distributed in markets such as BreachForums, cracking[.]org, hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world, nulledbb[.]com and Telegram channels such as https:\/\/t[.]me\/+seHLUhOHbVhMDM0.<\/p>\n<p>One actor we followed selling stolen credentials was DaisyCloud (and variations such as up-daisycloud, daisycloud, new-daisycloud). They have been selling Lumma logs since its inception two years ago, but were also observed selling Redline stealer logs. <strong>This sheds light on how distribution points are independent of the specific stealer<\/strong>.<\/p>\n<p>We provided a deep technical analysis of Lumma on a <a href=\"https:\/\/medium.com\/@cyb3r-hawk\/lumma-stealer-threat-hunting-and-infrastructure-analysis-6e62a0e44c71\" target=\"_blank\" rel=\"noopener\">dedicated Medium blog<\/a>, including infrastructure and targeted applications. Below is a summary of infrastructure components and observed TTPs used by threat actors distributing Lumma Stealer until the takedown. <strong>These capabilities will likely be adapted to distribute other growing infostealers, such as Rhadamanthys in the near future.<\/strong><\/p>\n<div class=\"c-responsive-table\">\n<table>\n<thead>\n<tr>\n<th>Infrastructure Component<\/th>\n<th>Details<\/th>\n<th>Purpose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Command and control domains<\/td>\n<td>Domains with suspicious TLDs such as .shop, .top, .club, .run<\/td>\n<td>Command and control<\/td>\n<\/tr>\n<tr>\n<td>GitHub repositories<\/td>\n<td>Used for distribution and updates<\/td>\n<td>Initial payload delivery<\/td>\n<\/tr>\n<tr>\n<td>Telegram channels<\/td>\n<td>Multiple distribution points, including t[.]me\/hitbase and t[.]me\/sharmamod<\/td>\n<td>Distribution, command and control and exfiltration<\/td>\n<\/tr>\n<tr>\n<td>SEO<\/td>\n<td>Distribution of ClickFix campaign links<\/td>\n<td>Initial infection vector<\/td>\n<\/tr>\n<tr>\n<td>Bulletproof hosting<\/td>\n<td>Hosting malicious payloads<\/td>\n<td>Payload storage<\/td>\n<\/tr>\n<tr>\n<td>Cracked software sites<\/td>\n<td>Distribution of Trojanized applications<\/td>\n<td>Initial infection vector<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-106186\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Table-scaled.png\" alt=\"Infostealer Table\" width=\"2560\" height=\"996\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Table-scaled.png 2560w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Table-300x117.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Table-1024x399.png 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Table-768x299.png 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Table-1536x598.png 1536w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Infostealer-Table-2048x797.png 2048w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><\/p>\n<p><strong>Go deeper: See why <a href=\"https:\/\/www.forescout.com\/blog\/critical-condition-the-growing-threat-of-healthcare-data-breaches\/\">Healthcare data breach<\/a> information is so valuable \u2013 and why the industry is in critical condition in cybersecurity.<\/strong><\/p>\n<h2>Conclusion and Mitigation Recommendations<\/h2>\n<p>Lumma Stealer and Rhadamanthys exemplify new advances in credential theft techniques from traditional delivery methods to multi-stage chains with social engineering tactics. Even after Lumma\u2019s takedown, we don\u2019t expect infostealers to become less popular with cybercriminals. Quite the contrary, we believe that future infostealer malware will continue to blend technical sophistication with social engineering components.<\/p>\n<p>The sensitive data obtained by infostealers can lead to operational disruptions, data theft, and regulatory penalties to organizations in Financial Services, Healthcare and other critical sectors, as we <a href=\"https:\/\/www.forescout.com\/blog\/critical-condition-the-growing-threat-of-healthcare-data-breaches\/\">discussed in a recent blog<\/a>.<\/p>\n<p>The evolving credential theft techniques discussed in this blog have far-reaching implications that must be addressed by organizations. Therefore, we recommend the following:<\/p>\n<div class=\"c-responsive-table\">\n<table>\n<thead>\n<tr>\n<th>Mitigation<\/th>\n<th>Priority<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Implement Multi-Factor Authentication (MFA) in every system that supports it.<\/td>\n<td>CRITICAL<\/td>\n<\/tr>\n<tr>\n<td>Enable endpoint logging beyond alerts to include process, file, user, network, registry, driver and PowerShell activities.<\/td>\n<td>CRITICAL<\/td>\n<\/tr>\n<tr>\n<td>Gather logs from systems handling user authentication, especially SSO and cloud service access.<\/td>\n<td>CRITICAL<\/td>\n<\/tr>\n<tr>\n<td>Deploy continuous monitoring for suspicious authentication attempts and frequently review logs for potential unauthorized access.<\/td>\n<td>CRITICAL<\/td>\n<\/tr>\n<tr>\n<td>Rotate credentials and cryptographic keys suspected of being compromised.<\/td>\n<td>CRITICAL<\/td>\n<\/tr>\n<tr>\n<td>Block suspicious TLDs associated with infostealer infrastructure.<\/td>\n<td>HIGH<\/td>\n<\/tr>\n<tr>\n<td>Implement browser security controls to protect against credential theft.<\/td>\n<td>HIGH<\/td>\n<\/tr>\n<tr>\n<td>Conduct targeted training on social engineering techniques.<\/td>\n<td>MEDIUM<\/td>\n<\/tr>\n<tr>\n<td>Segment critical systems in the network to prevent lateral movement with compromised credentials.<\/td>\n<td>MEDIUM<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Beyond these recommendations, organizations should consider dedicated threat hunting for authentication threats. These hunts should focus on:<\/p>\n<ul>\n<li>Authentication attempts from anomalous geographic locations<\/li>\n<li>Bulk data transfers from authentication infrastructure<\/li>\n<li>Anomalous query patterns against LDAP directories<\/li>\n<li>Anomalous certificate validation requests<\/li>\n<li>Manipulation of certificate trust chains<\/li>\n<li>Access to certificate private keys<\/li>\n<li>Anomalous password reset activities<\/li>\n<li>Failed MFA attempts on privileged accounts<\/li>\n<li>Unauthorized token generation<\/li>\n<li>Access from unexpected client applications<\/li>\n<li>Anomalous permissions to service accounts<\/li>\n<li>Creation of unauthorized administrative users<\/li>\n<li>Modification of cloud tenant configurations<\/li>\n<li>Abnormal access to sensitive cloud resources<\/li>\n<\/ul>\n<p>To defend against info stealers, the Forescout 4D Platform\u2122 includes advanced capabilities designed to detect and block such malware through detection rules, threat intel and behavioral analysis:<\/p>\n<ul>\n<li>CY-IR-0028 EDR Telemetry: MSHTA Execution Anomaly Detection (UEBA)<\/li>\n<li>CY-IR-0497 EDR Telemetry: Suspicious Invoke-WebRequest Execution Detected<\/li>\n<li>CY-IR-0102 Endpoint Security: Anti-Malware Detection<\/li>\n<\/ul>\n<h2>Indicators of Compromise (IoCs)<\/h2>\n<div class=\"c-responsive-table\">\n<table>\n<thead>\n<tr>\n<th>Type<\/th>\n<th>Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>URL<\/td>\n<td>Phishing: http:\/\/ok[.]fish-cloud-jar[.]us\/\n<p>Downloader: https:\/\/b8t[.]watchcollision[.]xyz\/7456f63a46cc318334a70159aa3c4291<br \/>\nhttps:\/\/bird[.]stone-apple-vine.pro\/ukk6dd9hy825[.]bin\n<p>C2: https:\/\/api[.]blue-pencil-wave[.]today\/78fc5131525a9e8d335b1\/bu4x10q<\/td>\n<\/tr>\n<tr>\n<td>IP<\/td>\n<td>104.16.248[.]249<br \/>\n104.21.46[.]32<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>771002ad7876cd86be8cbdf09a121119d9bcc0748efd4e8664be781161bcc460<br \/>\n(Powershell downloader)<br \/>\n3773769cadbbc7cdd92f572e08915fe53d05f1a873c74c7d57be4876b1a64bff<br \/>\n(Rhadamanthys)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><strong>Riskiest Devices Webinar: Explore the <a href=\"https:\/\/www.forescout.com\/webinars\/riskiest-devices-2025-webinar\/\">most up-to-date trends in device vulnerabilities on-demand<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Information stealer or \u2018infostealer\u2019 malware is used by threat actors to harvest login items, such as cookies, credentials, and session tokens, as well as cryptocurrency wallets and credit card information from victims. Then, they are typically packaged as \u2018logs\u2019 and sold in dark web marketplaces. Ransomware, financial fraud, and corporate espionage are common follow-on activities [&hellip;]<\/p>\n","protected":false},"author":181,"featured_media":106194,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[562],"tags":[],"coauthors":[748,744,542],"class_list":["post-106184","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-views"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise? - Forescout<\/title>\n<meta name=\"description\" content=\"Forescout\u2019s Vedere Labs analyzes the latest infostealer trends. Lumma shutters, Rhadamanthys expands via ClickFix. Mitigation, IOCs included.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise? - Forescout\" \/>\n<meta property=\"og:description\" content=\"Forescout\u2019s Vedere Labs analyzes the latest infostealer trends. Lumma shutters, Rhadamanthys expands via ClickFix. Mitigation, IOCs included.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/\" \/>\n<meta property=\"og:site_name\" content=\"Forescout\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ForescoutTechnologies\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-22T19:36:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-22T19:46:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sai Molige, Prashant Tilekar, Forescout Research - Vedere Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Forescout\" \/>\n<meta name=\"twitter:site\" content=\"@Forescout\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/\"},\"author\":{\"name\":\"Sai Molige\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9\"},\"headline\":\"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise?\",\"datePublished\":\"2025-05-22T19:36:13+00:00\",\"dateModified\":\"2025-05-22T19:46:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/\"},\"wordCount\":1946,\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png\",\"articleSection\":[\"News &amp; Views\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/\",\"url\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/\",\"name\":\"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise? - Forescout\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png\",\"datePublished\":\"2025-05-22T19:36:13+00:00\",\"dateModified\":\"2025-05-22T19:46:46+00:00\",\"description\":\"Forescout\u2019s Vedere Labs analyzes the latest infostealer trends. Lumma shutters, Rhadamanthys expands via ClickFix. Mitigation, IOCs included.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png\",\"width\":1200,\"height\":628},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.forescout.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.forescout.com\/#website\",\"url\":\"https:\/\/www.forescout.com\/\",\"name\":\"Forescout\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.forescout.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.forescout.com\/#organization\",\"name\":\"Forescout Technologies, Inc.\",\"url\":\"https:\/\/www.forescout.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Forescout Technologies, Inc.\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ForescoutTechnologies\",\"https:\/\/x.com\/Forescout\",\"https:\/\/www.instagram.com\/forescouttechnologies\/\",\"https:\/\/www.linkedin.com\/company\/forescout-technologies\",\"https:\/\/www.youtube.com\/user\/forescout1\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9\",\"name\":\"Sai Molige\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/image\/969ddeee0c69c8cd3d20666775276a76\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g\",\"caption\":\"Sai Molige\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise? - Forescout","description":"Forescout\u2019s Vedere Labs analyzes the latest infostealer trends. Lumma shutters, Rhadamanthys expands via ClickFix. Mitigation, IOCs included.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/","og_locale":"en_US","og_type":"article","og_title":"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise? - Forescout","og_description":"Forescout\u2019s Vedere Labs analyzes the latest infostealer trends. Lumma shutters, Rhadamanthys expands via ClickFix. Mitigation, IOCs included.","og_url":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/","og_site_name":"Forescout","article_publisher":"https:\/\/www.facebook.com\/ForescoutTechnologies","article_published_time":"2025-05-22T19:36:13+00:00","article_modified_time":"2025-05-22T19:46:46+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png","type":"image\/png"}],"author":"Sai Molige, Prashant Tilekar, Forescout Research - Vedere Labs","twitter_card":"summary_large_image","twitter_creator":"@Forescout","twitter_site":"@Forescout","twitter_misc":{"Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#article","isPartOf":{"@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/"},"author":{"name":"Sai Molige","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9"},"headline":"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise?","datePublished":"2025-05-22T19:36:13+00:00","dateModified":"2025-05-22T19:46:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/"},"wordCount":1946,"publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png","articleSection":["News &amp; Views"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/","url":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/","name":"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise? - Forescout","isPartOf":{"@id":"https:\/\/www.forescout.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png","datePublished":"2025-05-22T19:36:13+00:00","dateModified":"2025-05-22T19:46:46+00:00","description":"Forescout\u2019s Vedere Labs analyzes the latest infostealer trends. Lumma shutters, Rhadamanthys expands via ClickFix. Mitigation, IOCs included.","breadcrumb":{"@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#primaryimage","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png","width":1200,"height":628},{"@type":"BreadcrumbList","@id":"https:\/\/www.forescout.com\/blog\/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.forescout.com\/"},{"@type":"ListItem","position":2,"name":"Infostealer Watch: Will Lumma\u2019s Takedown Help Rhadamanthys\u2019 Rise?"}]},{"@type":"WebSite","@id":"https:\/\/www.forescout.com\/#website","url":"https:\/\/www.forescout.com\/","name":"Forescout","description":"","publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.forescout.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.forescout.com\/#organization","name":"Forescout Technologies, Inc.","url":"https:\/\/www.forescout.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","width":1,"height":1,"caption":"Forescout Technologies, Inc."},"image":{"@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ForescoutTechnologies","https:\/\/x.com\/Forescout","https:\/\/www.instagram.com\/forescouttechnologies\/","https:\/\/www.linkedin.com\/company\/forescout-technologies","https:\/\/www.youtube.com\/user\/forescout1"]},{"@type":"Person","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9","name":"Sai Molige","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/image\/969ddeee0c69c8cd3d20666775276a76","url":"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g","caption":"Sai Molige"}}]}},"featured_media_url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-Infostealer-Nav.png","is_file":false,"excerpt_manually_set":false,"_links":{"self":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/106184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/users\/181"}],"replies":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/comments?post=106184"}],"version-history":[{"count":0,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/106184\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media\/106194"}],"wp:attachment":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media?parent=106184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/categories?post=106184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/tags?post=106184"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/coauthors?post=106184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}