{
	"id": "cc7d6195-76d6-44da-b7eb-35a89bdc6f57",
	"created_at": "2026-04-06T00:07:32.605688Z",
	"updated_at": "2026-04-10T03:27:07.795603Z",
	"deleted_at": null,
	"sha1_hash": "74ad41bb5c59e084faaf2b4fd5d9e23b9db8b1dc",
	"title": "Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1545976,
	"plain_text": "Increase in Lumma Stealer Activity Coincides with Use of Adaptive\r\nBrowser Fingerprinting Tactics\r\nPublished: 2025-11-13 · Archived: 2026-04-05 13:42:46 UTC\r\nMalware\r\nIn this blog entry, Trend™ Research analyses the layered command-and-control approaches that Lumma Stealer uses to\r\nmaintain its ongoing operations while enhancing collection of victim-environment data.\r\nBy: Junestherry Dela Cruz, Sarah Pearl Camiling Nov 13, 2025 Read time: 6 min (1698 words)\r\nKey takeaways\r\nThe doxxing of Lumma Stealer’s alleged core members initially led to a decline in activity, but Trend™ Research\r\nobserved an increase in Lumma Stealer-related activity (which Trend Micro tracks as Water Kurita) since the week of\r\nOctober 20, as well as new behaviors and C\u0026C techniques.  \r\nLumma Stealer now uses browser fingerprinting as part of its command-and-control (C\u0026C) tactics, supplementing\r\ntraditional C\u0026C protocols. The fingerprinting technique involves collecting and exfiltrating system, network,\r\nhardware, and browser data using JavaScript payloads and stealthy HTTP communications with Lumma Stealer’s\r\nC\u0026C server.\r\nThese newly observed behaviors enable Lumma Stealer to maintain operational continuity, assess victim\r\nenvironments to guide follow-on actions, and evade detection.\r\nTrend Vision One™ detects and blocks the specific indicators of compromise (IoCs) mentioned in this blog, and\r\noffers customers access to hunting queries, threat insights, and intelligence reports related to Lumma Stealer.\r\nIn the wake of a targeted doxxing campaign last month that exposed the alleged core members of Lumma Stealer (which\r\nTrend Micro tracks as Water Kurita), the underground infostealer landscape experienced a significant upheaval. As detailed\r\nin Trend™ Research’s previous reportopen on a new tab, this exposure led to a marked decline in Lumma Stealer's activity,\r\nwith many of its customers migrating to rival platforms such as Vidaropen on a new tab and StealC. However, recent\r\nobservations from our telemetry indicate a resurgence in Lumma Stealer activity, accompanied by notable changes in its\r\ncommand-and-control (C\u0026C) behaviors, particularly the introduction of browser fingerprinting techniques.\r\nDetailed analysis\r\nStarting the week of October 20, 2025, Trend’s telemetry began to detect a notable uptick in activity associated with Lumma\r\nStealer, revealing a shift in its targeting strategy as new endpoints emerged as prime targets (Figure 1). A key development\r\nin this resurgence is the implementation of browser fingerprinting techniques by the malware, representing a significant\r\nevolution in its C\u0026C infrastructure while maintaining core communication protocols consistent with previous versions.\r\nhttps://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nPage 1 of 7\n\nFigure 1. Endpoints targeted by Lumma Stealer from October 1 to November 3, 2025\r\nProcess injection and browser hijacking\r\nThe analyzed samples demonstrate Lumma Stealer's use of process injection techniques, specifically employing remote\r\nthread injection from MicrosoftEdgeUpdate.exe into legitimate Chrome browser processes (chrome.exe), as seen in Figure\r\n2. This technique allows the malware to execute within the context of a trusted browser process, effectively bypassing many\r\nsecurity controls and appearing as legitimate browser traffic to network monitoring systems.\r\nFigure 2. New Lumma Stealer browser fingerprinting behavior as seen from Trend’s XDR logs\r\nNetwork traffic analysis\r\nNetwork capture analysis reveals the malware's communication patterns with the C\u0026C infrastructure. The initial connection\r\nto the fingerprinting endpoint at \u003cc2 domain\u003e/api/set_agent is clearly visible in the network traffic, showing the HTTP GET\r\nrequest with the associated parameters including the unique identifier and authentication token (Figure 3). This traffic\r\npattern represents a new addition to Lumma Stealer's communication repertoire, occurring alongside its traditional C\u0026C\r\nprotocols.\r\nhttps://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nPage 2 of 7\n\nFigure 3. Browser fingerprinting behavior\r\nNew C\u0026C endpoint: Browser fingerprinting infrastructure\r\nThe malware now communicates with a dedicated fingerprinting endpoint at /api/set_agent on the C\u0026C domain\r\n(jamelik[.]asia in this case). The initial GET request includes several parameters:\r\nid - A unique 32-character hexadecimal identifier\r\ntoken - A session token for authentication\r\nagent - Browser identification (Chrome in this case)\r\nDespite the introduction of browser fingerprinting capabilities, our analysis confirms that Lumma Stealer maintains its core\r\nC\u0026C communication structure as previously documented in Microsoft’s researchopen on a new tab (Figure 4). Debug\r\nanalysis reveals the malware continues to transmit traditional C\u0026C parameters (Figure 5), including:\r\nuid - The unique identifier for the Lumma Stealer client/operator and campaign (updated from 'lid' in version 6)\r\ncid - Optional field identifying additional Lumma Stealer features (updated from 'j' in version 6)\r\nFigure 4. Using WinHTTP APIs, the malware establishes an outbound connection to its C\u0026C server, enabling\r\nremote operators to issue commands, exfiltrate data, or deploy additional payloads\r\nhttps://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nPage 3 of 7\n\nFigure 5. URL parameters uid and cid are transmitted to Lumma Stealer C\u0026C for operators to track\r\ncampaigns\r\nThis consistency indicates that the fingerprinting functionality represents an augmentation rather than a replacement of\r\nexisting C\u0026C infrastructure, suggesting the operators are layering new capabilities onto proven communication frameworks.\r\nConfiguration management\r\nAnalysis of the downloaded configuration data (Figure 6) reveals how the malware orchestrates both traditional data\r\nexfiltration and the new fingerprinting operations. The configuration maintains the established structure for managing C\u0026C\r\ndomains, command parameters, and operational directives while incorporating new directives for browser profiling\r\nactivities.\r\nFigure 6. Downloaded configuration from C\u0026C server\r\nBrowser fingerprinting payload\r\nUpon accessing the fingerprinting endpoint, the C\u0026C server responds with JavaScript code designed to collect an extensive\r\narray of system and browser characteristics. The fingerprinting script gathers the following information:\r\nSystem information\r\nPlatform details, user agent strings, and language preferences\r\nHardware specifications including CPU cores, device memory, and touch capabilities\r\nBrowser vendor information and application metadata\r\nBrowser profiling\r\nhttps://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nPage 4 of 7\n\nWebGL fingerprinting - Extracts graphics card vendor, renderer information, and supported extensions\r\nCanvas fingerprinting - Generates unique visual signatures by rendering text and shapes\r\nAudio context analysis - Captures audio system capabilities including sample rates and channel configurations.\r\nWebRTC information - Collects network interface details through Interactive Connectivity Establishment (ICE)\r\ncandidates and Session Description Protocol (SDP) data\r\nNetwork and hardware characteristics\r\nConnection type, effective bandwidth, and round-trip time measurements\r\nScreen resolution, color depth, and orientation data\r\nAvailable fonts and browser plugin information\r\nData exfiltration mechanism\r\nAfter collecting the comprehensive fingerprint data, the script serializes all information into JSON format and transmits it\r\nback to the C\u0026C server via a POST request to the same endpoint with an additional act=log parameter. The data is sent\r\nusing URL-encoded form data, and upon completion, the browser is redirected to about:blank to minimize user awareness.\r\nTactical implications\r\nThis hybrid approach – combining established C\u0026C protocols with new fingerprinting capabilities – serves multiple\r\nstrategic purposes for Lumma Stealer operators:\r\nEnhanced evasion - The detailed system profiling allows the malware to identify virtual machines, sandboxes, and\r\nanalysis environments\r\nImproved targeting - Operators can selectively deploy payloads based on victim profiles and system capabilities\r\nOperational continuity - Maintaining proven C\u0026C parameters ensures compatibility with existing infrastructure and\r\ntools\r\nDetection avoidance - The use of legitimate browser processes and standard HTTP traffic patterns makes detection\r\nsignificantly more challenging\r\nThis fingerprinting implementation, combined with the retention of established C\u0026C protocols, indicates that Lumma\r\nStealer developers have strategically enhanced their capabilities without abandoning proven operational methods.\r\nWater Kurita (Lumma Stealer) threat landscape assessment\r\nUnderground forum monitoring reveals a notable decline in Lumma Stealer threat actors' presence across cybercriminal\r\ncommunities, though marketplace activity continues with ongoing buying and selling of Lumma Stealer logs. The threat\r\nlandscape has been further disrupted by multiple fraudulent Telegram accounts impersonating legitimate Lumma Stealer\r\nchannels, potentially creating confusion within the threat actor community and fragmenting the user base. This operational\r\ndisruption suggests the Lumma Stealer ecosystem is facing significant challenges in maintaining its previous level of\r\ncoordination and communication.\r\nDespite reduced underground visibility, Lumma Stealer remains an active threat with continued endpoint targeting and the\r\ndocumented deployment of GhostSocks as a secondary payload. However, operational degradation is evident in the threat\r\nactors' infrastructure management practices. New binary samples now contain outdated C\u0026C domains – including\r\nMicrosoft-sinkholed infrastructure – alongside single active C\u0026C servers, contrasting sharply with previous comprehensive\r\ndomain rotation practices that demonstrated more sophisticated operational security.\r\nWe assess with medium confidence that Lumma Stealer operators are keeping a low profile to avoid attracting attention\r\nfrom law enforcement and competitors. The threat actors appear to be deliberately reducing their visibility while maintaining\r\nhttps://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nPage 5 of 7\n\nbasic operations, likely waiting for the right opportunity to resume full-scale activities. This suggests they are still in\r\nbusiness but operating more cautiously rather than shutting down completely.\r\nSecurity recommendations\r\nTo help organizations effectively defend against the evolving tactics of Lumma Stealer, users and defenders can apply\r\nsecurity best practices such as:\r\nStrengthen email security awareness. Train employees to identify and report phishing emails, particularly those\r\nimpersonating legitimate software updates, shipping notifications, or urgent security alerts that trick users into\r\ndownloading malicious attachments or clicking suspicious links\r\nExercise caution with online advertisements. Be wary of clicking on advertisements, especially those offering free\r\nsoftware downloads, urgent security warnings, or \"too good to be true\" deals, as cybercriminals use malicious ads to\r\ndistribute malware through compromised websites\r\nEnforce software installation controls. Restrict user permissions to install software and establish approved software\r\nrepositories, as malware often spreads through fake software installers, cracked applications, and malicious browser\r\nextensions downloaded from unofficial sources\r\nBe suspicious of unusual CAPTCHA requests. Question CAPTCHA prompts that ask you to copy and paste\r\ncommands, run PowerShell scripts, or perform actions beyond simple image verification, as cybercriminals use fake\r\nCAPTCHA pages to trick users into executing malicious code that downloads malware\r\nImplement multi-factor authentication (MFA) on your accounts: Even though advanced attacks like adversary-in-the-middle (AiTM) phishing can try to get around it, MFA is still a crucial security measure that blocks many types of\r\naccount compromise.\r\nHunting Queries\r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nwith data in their environment.   \r\nDetection of Suspicious File Movement Involving .mid and .mid.bat Files\r\neventSubId: 2 AND objectCmd: /move.*\\w+.mid(.bat)?/ \r\nDetection of Lumma Stealer Browser Fingerprinting Activity\r\neventSubId: 701 AND objectCmd: \"*//api//set_agent?*\u0026id*\u0026token*\u0026description*\"\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabledopen on a new\r\ntab. \r\nIndicators of Compromise (IoCs)\r\nFile\r\nIndicator Detection name\r\n516cd47d091622b3eb256d25b984a5ede0d5dd9540e342a28e199082395e65e5 TrojanSpy.Win64.LUMMASTEALER.THKAAB\r\nURLs\r\nIndicator Description\r\npabuloa[.]asia C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nPage 6 of 7\n\njamelik[.]asia C\u0026C server\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nhttps://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html"
	],
	"report_names": [
		"lumma-stealer-browser-fingerprinting.html"
	],
	"threat_actors": [
		{
			"id": "5be99bea-0f77-492b-be61-e7cc225bbff4",
			"created_at": "2026-03-08T02:00:03.473966Z",
			"updated_at": "2026-04-10T02:00:03.983164Z",
			"deleted_at": null,
			"main_name": "Water Kurita",
			"aliases": [],
			"source_name": "MISPGALAXY:Water Kurita",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434052,
	"ts_updated_at": 1775791627,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/74ad41bb5c59e084faaf2b4fd5d9e23b9db8b1dc.pdf",
		"text": "https://archive.orkl.eu/74ad41bb5c59e084faaf2b4fd5d9e23b9db8b1dc.txt",
		"img": "https://archive.orkl.eu/74ad41bb5c59e084faaf2b4fd5d9e23b9db8b1dc.jpg"
	}
}