{
	"id": "e734b251-e438-4c16-86ed-73c9ae723bcd",
	"created_at": "2026-04-06T00:16:09.949567Z",
	"updated_at": "2026-04-10T03:27:07.796834Z",
	"deleted_at": null,
	"sha1_hash": "b94c36613dfae893955cc7da2e8a8a708c3bf285",
	"title": "Back to Business: Lumma Stealer Returns with Stealthier Methods",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3344350,
	"plain_text": "Back to Business: Lumma Stealer Returns with Stealthier Methods\r\nBy By: Junestherry Dela Cruz Jul 22, 2025 Read time: 8 min (2106 words)\r\nPublished: 2025-07-22 · Archived: 2026-04-05 15:37:19 UTC\r\nMalware\r\nLumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears\r\nto be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest\r\nmethods used to propagate this threat.\r\nKey takeaways\r\nNot long after its takedownopen on a new tab in May, Lumma Stealer is back. From June to July, the\r\nnumber of targeted accounts began resurging. Now, the malware is distributed with more discreet channels\r\nand stealthier evasion tactics.\r\nWith its information-stealing capabilities, Lumma Stealer can siphon sensitive data such as credentials and\r\nprivate files. Also, as the threat is marketed as a malware-as-a-service (MaaS), even cybercriminals with\r\nlittle to no technical knowledge can wield this malware.\r\nUsers can be lured to download the Lumma Stealer through fake cracked software, deceptive websites, and\r\nsocial media posts. From an organization’s perspective, employees with little to no cybersecurity awareness\r\ncould fall prey to these attacks.\r\nTrend Vision One™ detects and blocks the indicators of compromise (IOCs) discussed in this blog. Trend\r\nVision One customers can also access hunting queries, threat insights, and threat intelligence reports to\r\ngain rich context and the latest updates on Lumma Stealer. \r\nFollowing the sweeping law enforcement operationopen on a new tab against Lumma Stealer in early 2025, which\r\nled to the seizure of over 2,300 malicious domains, initial signs pointed to a significant disruption of this notorious\r\ninformation-stealing malware.\r\nHowever, recent monitoring of Lumma Stealer reveals a steady and quiet resurgence in its activity.\r\nDespite the takedown of its core infrastructure and marketplaces, new campaigns have emerged, leveraging\r\ndelivery techniques such as GitHub abuse and fake CAPTCHA sites.\r\nNotably, the operators have shifted away from public underground forums, opting instead for more covert\r\nchannels and refined evasion tactics, allowing them to rebuild their operations while avoiding the spotlight\r\nLumma Stealer takedown: Recap\r\nIn May 2025, a major global law enforcement operation targeted the Lumma Stealer malware, a prolific\r\ninformation-stealing MaaS that had been active since late 2022.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 1 of 13\n\nThis coordinated action involved several law enforcement agencies and private sector partners. The operation’s\r\nkey achievements included:\r\nSeizure of infrastructure: Approximately 2,300 malicious domains forming the backbone of Lumma’s\r\ncommand-and-control (C\u0026C) infrastructure were seized or blocked. This included five domains used as\r\nlogin panels for Lumma Stealer’s administrators and customers.\r\nDisruption of operations: The central command structure and marketplaces used to distribute and sell\r\nLumma Stealer were taken down. Connections between infected machines and the malware’s servers were\r\nsevered, effectively cutting off communication and data exfiltration.\r\nAttacker response and technical insights\r\nOn May 24, shortly after the law enforcement takedown, the primary Lumma Stealer developer, part of the\r\nintrusion set internally referred to by Trend Micro as \"Water Kurita,\" posted a detailed statement on the XSS\r\nunderground forum.\r\nThe developer confirmed the seizure of nearly 2,500 domains and provided technical insight into the operation.\r\nAccording to the developer, while the infrastructure was compromised, law enforcement did not physically\r\nconfiscate their server as it was located in a jurisdiction outside their reach.\r\nInstead, authorities allegedly exploited a previously unknown vulnerability, suspected to be in the server’s\r\nIntegrated Dell Remote Access Controller (IDRAC), to gain access and format all disks, including backups, on\r\ntwo separate occasions.\r\nThe developer also noted that law enforcement replaced the original control panel with a phishing site designed to\r\ncollect client IP addresses and webcam access. In response, the Lumma Stealer team claimed to have restored\r\nserver access, disabled the vulnerable remote management interface, and suggested that further attempts at\r\nresurgence are likely.\r\nFigure 1. Lumma developer’s initial post in the XSS Forum regarding the takedown (Image from\r\nTwilight Cyber)\r\nLumma Stealer resurgence: Post-takedown activity\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 2 of 13\n\nFollowing the law enforcement action against Lumma Stealer and its associated infrastructure, our team has\r\nobserved clear signs of a resurgence in Lumma’s operations. Network telemetry indicates that Lumma’s\r\ninfrastructure began ramping up again within weeks of the takedown. This rapid recovery highlights the group’s\r\nresilience and adaptability in the face of disruption.\r\nFigure 2. Hunted Lumma C\u0026C URLs from Trend Micro telemetry\r\nWhen examining targeting patterns against our customers, we noted a slight dip in the number of unique accounts\r\ntargeted by Lumma malware in May 2025, coinciding with the timing of the takedown.\r\nHowever, this decrease was short-lived. From June through July, the number of targeted accounts steadily returned\r\nto their usual levels, suggesting that Lumma Stealer operators were able to quickly reestablish their operations and\r\nresume previous targeting activity.\r\nFigure 3. Lumma Stealer number of targeted accounts (April 1 to July 6, 2025)\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 3 of 13\n\nThese trends underscore the persistent nature of the Lumma threat and the ongoing challenge of neutralizing\r\nsophisticated malware operations, even after major law enforcement interventions.\r\nAnalysis of recent Lumma Stealer campaigns and TTPs\r\nIn order to better understand Lumma’s ongoing threat to our customers, we have conducted a detailed analysis of\r\nrecent campaigns attributed to Lumma Stealer.\r\nThis section outlines the observed TTPs employed by the threat actors, highlighting both established patterns and\r\nany notable shifts in their operational approach following the recent law enforcement action.\r\nBy sharing these insights, we aim to equip defenders with actionable intelligence to enhance detection, prevention,\r\nand response efforts against Lumma-related threats.\r\nNetwork infrastructure changes\r\nPrior to the recent law enforcement takedown, Lumma Stealer operators heavily leveraged Cloudflare’s\r\ninfrastructure to obfuscate their malicious domains.\r\nBy using Cloudflare, a widely trusted and legitimate service, they were able to mask the true origin of their\r\nservers, making detection and attribution significantly more challenging for defenders.\r\nHowever, following the takedown operation, we have observed a notable shift in their approach. While a small\r\nnumber of Lumma domains still utilize Cloudflare, the overall volume of abuse has dropped significantly.\r\nThis suggests that the operators might be intentionally reducing their reliance on more popular companies and\r\ninfrastructure, which are more susceptible to monitoring.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 4 of 13\n\nFigure 4. Lumma C\u0026C domains in Cloudflare (January 1 to July 6, 2025)\r\nIn response to increased scrutiny, Lumma has diversified its infrastructure, relying on a range of alternative\r\nservice providers. Notably, we have observed a consistent pattern of Lumma domains utilizing legitimate cloud\r\ninfrastructure and data center services based in Russia, such as Selectel —especially in June, a few days after the\r\nattempted takedown.\r\nThis strategic pivot suggests a move towards providers that might be perceived as less responsive to law\r\nenforcement requests, further complicating efforts to track and disrupt their activities.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 5 of 13\n\nFigure 5. Lumma C\u0026C domains in Selectel (January 1 to July 6, 2025)\r\nRecent campaigns post-takedown effort\r\nA critical component of Lumma Stealer’s ongoing success lies in its diverse and evolving delivery methods.\r\nUnderstanding how Lumma Stealer is propagated (whether through malvertising, compromised websites, etc.) is\r\nessential for defenders seeking to disrupt its infection chain.\r\nThis section provides a comprehensive analysis of recent Lumma Stealer campaigns, with a particular focus on the\r\nvectors and mechanisms used to deliver the malware.\r\nFake crack campaigns\r\nOne of the most prevalent and effective delivery mechanisms for Lumma Stealer involves the use of two fake\r\ntools: cracks and key generators (keygens). These are malicious software masquerading as free versions of\r\nlegitimate ones, and counterfeit unlockers for popular applications, respectively.\r\nCybercriminals exploit users’ desire for free software by leveraging malvertising and search engine manipulation.\r\nWhen a victim searches for a cracked version of an application or tool, they are often directed via malicious\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 6 of 13\n\nadvertisements or deceptive search results to a website hosting the fake crack.\r\nFigure 6. Sample website where Lumma can be downloaded\r\nThe download website typically incorporates JavaScript that, upon the victim clicking the “Download” button,\r\nredirects the user to a Traffic Detection System (TDS). The TDS fingerprints the user’s environment, and if all\r\nchecks are satisfied, the user is subsequently directed to a secondary download site hosting the password-protected\r\nLumma Downloader.\r\nFigure 7. File link\r\nClickFix campaigns\r\nClickFix is one of the most well-documented campaigns leading to Lumma Stealer infections. In this campaign,\r\nattackers inject malicious JavaScript into compromised websites, causing them to display a fake CAPTCHA page.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 7 of 13\n\nThis page is designed to deceive users into executing a malicious PowerShell command via the Windows Run\r\ndialog box, ultimately facilitating the delivery of Lumma Stealer.\r\nFigure 8. ClickFix page urging the user to execute a set of commands to verify CAPTCHA\r\nFigure 9. An example of PowerShell commands executed from a ClickFix campaign\r\nThe infection chain usually involves several stages and execution of scripts before eventually leading to the\r\nLumma Stealer payload.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 8 of 13\n\nFigure 10. Script Executed by the Clickfix campaign\r\nIn this specific campaign, the PowerShell script downloaded and executed by the Clickfix Campaign will decrypt\r\nand execute a .NET assembly binary using an XOR operation, load the decrypted program directly into memory,\r\nand then execute it. This process allows Lumma Stealer to run without saving any files to disk, making it much\r\nmore difficult for traditional security tools to detect or block its activity.\r\nGitHub campaigns\r\nAnother common delivery method for Lumma Stealer malware involves GitHub. Very similar campaigns were\r\nseen in March of this year.\r\nIn these campaigns, threat actors automatically create user accounts and repositories, often populating them with\r\nAI-generated README files. These repositories typically promote downloads for game-related cheats and\r\nexploits, enticing users to inadvertently install the malware.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 9 of 13\n\nFigure 11. Automatically generated repository with Lumma file \"TempSpoofer.exe”\r\nThe Lumma Stealer file usually can be downloaded directly as an EXE file on the repository or as a ZIP file from\r\nthe Releases section.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 10 of 13\n\nFigure 12. Users associated with repositories linked to the Lumma Stealer file typically have only a\r\nsingle repository\r\nSocial media campaigns\r\nLumma Stealer has also been distributed through coordinated social media campaigns. On platforms such as\r\nYouTube, threat actors upload videos usually themed around topics like Photoshop cracks, which contain links\r\ndirecting viewers to external websites hosting Lumma malware.\r\nFigure 13. YouTube video with a link to a Lumma Stealer download page\r\nFigure 14. A Lumma Stealer download page abusing the legitimate sites.google.com platform\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 11 of 13\n\nSimilarly, campaigns on Facebook involve posts or advertisements that include links to malicious websites where\r\nusers can inadvertently download Lumma Stealer. These tactics leverage the trust and reach of social media\r\nplatforms to broaden the malware’s distribution and increase infection rates.\r\nFigure 15. A Facebook post advertising a fake video editor crack\r\nConclusion\r\nThe Lumma Stealer case exemplifies the adaptability and persistence of modern cybercriminal groups. Despite a\r\nmajor enforcement action, the group quickly reconstituted its operations, altered its infrastructure, and continued\r\nto innovate its delivery tactics.\r\nAs a MaaS offering, Lumma Stealer enables cybercriminals, including those with little to no technical\r\nbackground, to conduct attacks. This, together with existing and new campaigns, maximizes the malware’s spread.\r\nMore and more users can fall prey to the schemes, unwittingly allowing cybercriminals to steal sensitive data.\r\nThe ability of Lumma Stealer’s operators to regroup and innovate poses a continued risk to organizations and\r\nindividuals worldwide. This emphasizes the need for ongoing vigilance, proactive threat intelligence, and\r\nsustained collaboration between law enforcement and the cybersecurity community. Without this, even the most\r\nsignificant takedowns might only offer temporary relief from evolving cyber threats.\r\nOn their end, organizations must also remain vigilant at all times. Companies can hold regular cybersecurity\r\ntrainings for employees, helping them become adept at spotting deceptive and malicious software offers, websites,\r\nand social media posts. A proactive defense bolstered with cybersecurity tools can also further protect the\r\norganization.\r\nAs cybercriminal groups continue to adapt at a rapid pace, security approaches should aim to be one step ahead.\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 12 of 13\n\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This comprehensive approach helps\r\nyou predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed\r\nby decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it\r\ndelivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time.\r\nTrend Micro™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insightsproducts, which\r\nprovides the latest insights from Trend Research on emerging threats and threat actors.\r\nTrend Vision One Threat Insights\r\nThreat Actors: Water Kurita\r\nEmerging Threats: After the Crackdown: Tracking LummaStealer’s Ongoing Threat and Adaptation\r\nTrend Vision One Intelligence Reports (IOC Sweeping)\r\nAfter the Crackdown: Tracking LummaStealer's Ongoing Threat and Adaptation\r\nHunting Queries \r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt for the malicious indicators mentioned in\r\nthis blog post with data in their environment.    \r\nLumma Stealer detection\r\nmalName:*LUMMASTEALER* AND eventName:MALWARE_DETECTION AND LogType: detection AND\r\nLogType: detection\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled. \r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nhttps://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html\r\nPage 13 of 13\n\nto their usual resume previous levels, suggesting targeting activity. that Lumma Stealer operators were able to quickly reestablish their operations and\nFigure 3. Lumma Stealer number of targeted accounts (April 1 to July 6, 2025)\n   Page 3 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html"
	],
	"report_names": [
		"lumma-stealer-returns.html"
	],
	"threat_actors": [
		{
			"id": "5be99bea-0f77-492b-be61-e7cc225bbff4",
			"created_at": "2026-03-08T02:00:03.473966Z",
			"updated_at": "2026-04-10T02:00:03.983164Z",
			"deleted_at": null,
			"main_name": "Water Kurita",
			"aliases": [],
			"source_name": "MISPGALAXY:Water Kurita",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434569,
	"ts_updated_at": 1775791627,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b94c36613dfae893955cc7da2e8a8a708c3bf285.pdf",
		"text": "https://archive.orkl.eu/b94c36613dfae893955cc7da2e8a8a708c3bf285.txt",
		"img": "https://archive.orkl.eu/b94c36613dfae893955cc7da2e8a8a708c3bf285.jpg"
	}
}