Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics
Summary:
Lumma Stealer (tracked by Trend Micro as Water Kurita) has re-emerged after a temporary decline caused by the doxxing of its alleged operators. Beginning the week of October 20, 2025, Trend telemetry shows a renewed surge in activity accompanied by a major evolution in its command-and-control behavior: the introduction of browser fingerprinting. This new capability allows Lumma to collect detailed system, hardware, network, and browser attributes through injected JavaScript, adding a stealthy layer of victim profiling to its traditional C&C channels. The group continues relying on core WinHTTP-based communication, still transmitting campaign-tracking parameters like uid and cid, indicating that fingerprinting augments rather than replaces existing infrastructure. Lumma also maintains its long-standing process injection technique, specifically remote thread injection from MicrosoftEdgeUpdate.exe into Chrome processes, which allows malicious activity to blend with legitimate browser traffic. Network captures show new communication with a dedicated endpoint used to identify victims and exfiltrate fingerprint data via GET/POST requests.
Despite this technical advancement, the Lumma ecosystem shows signs of operational instability. Underground forum visibility has dropped, fraudulent Telegram accounts are impersonating the group and causing fragmentation, and newer samples contain outdated or sinkholed C&C domains, suggesting weakened infrastructure hygiene. Even so, Lumma Stealer remains active, continues targeting endpoints, and still deploys secondary payloads such as GhostSocks. Trend assesses, and evidence supports, that the operators are intentionally keeping a low profile rather than shutting down, maintaining essential operations while avoiding further scrutiny.
Security Officer Comments:
Lumma’s fingerprinting capability meaningfully improves its evasion and targeting, enabling it to filter victims, spot sandboxes, and tailor follow-on actions. Its hybrid C&C structure increases resilience by preserving backward compatibility while enabling new profiling workflows. Process injection into Chrome substantially complicates host and network detections due to the high-noise nature of browser traffic. Although infrastructure mismanagement hints at operational stress, the group is still functional and actively adapting. The quiet posture appears deliberate and temporary, signaling an actor that is regrouping, not retreating, and likely preparing for broader-scale operations once external pressure has diminished.
Suggested Corrections:
To help organizations effectively defend against the evolving tactics of Lumma Stealer, users and defenders can apply security best practices such as:
https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html
Lumma Stealer (tracked by Trend Micro as Water Kurita) has re-emerged after a temporary decline caused by the doxxing of its alleged operators. Beginning the week of October 20, 2025, Trend telemetry shows a renewed surge in activity accompanied by a major evolution in its command-and-control behavior: the introduction of browser fingerprinting. This new capability allows Lumma to collect detailed system, hardware, network, and browser attributes through injected JavaScript, adding a stealthy layer of victim profiling to its traditional C&C channels. The group continues relying on core WinHTTP-based communication, still transmitting campaign-tracking parameters like uid and cid, indicating that fingerprinting augments rather than replaces existing infrastructure. Lumma also maintains its long-standing process injection technique, specifically remote thread injection from MicrosoftEdgeUpdate.exe into Chrome processes, which allows malicious activity to blend with legitimate browser traffic. Network captures show new communication with a dedicated endpoint used to identify victims and exfiltrate fingerprint data via GET/POST requests.
Despite this technical advancement, the Lumma ecosystem shows signs of operational instability. Underground forum visibility has dropped, fraudulent Telegram accounts are impersonating the group and causing fragmentation, and newer samples contain outdated or sinkholed C&C domains, suggesting weakened infrastructure hygiene. Even so, Lumma Stealer remains active, continues targeting endpoints, and still deploys secondary payloads such as GhostSocks. Trend assesses, and evidence supports, that the operators are intentionally keeping a low profile rather than shutting down, maintaining essential operations while avoiding further scrutiny.
Security Officer Comments:
Lumma’s fingerprinting capability meaningfully improves its evasion and targeting, enabling it to filter victims, spot sandboxes, and tailor follow-on actions. Its hybrid C&C structure increases resilience by preserving backward compatibility while enabling new profiling workflows. Process injection into Chrome substantially complicates host and network detections due to the high-noise nature of browser traffic. Although infrastructure mismanagement hints at operational stress, the group is still functional and actively adapting. The quiet posture appears deliberate and temporary, signaling an actor that is regrouping, not retreating, and likely preparing for broader-scale operations once external pressure has diminished.
Suggested Corrections:
To help organizations effectively defend against the evolving tactics of Lumma Stealer, users and defenders can apply security best practices such as:
- Strengthen email security awareness. Train employees to identify and report phishing emails, particularly those impersonating legitimate software updates, shipping notifications, or urgent security alerts that trick users into downloading malicious attachments or clicking suspicious links
- Exercise caution with online advertisements. Be wary of clicking on advertisements, especially those offering free software downloads, urgent security warnings, or "too good to be true" deals, as cybercriminals use malicious ads to distribute malware through compromised websites
- Enforce software installation controls. Restrict user permissions to install software and establish approved software repositories, as malware often spreads through fake software installers, cracked applications, and malicious browser extensions downloaded from unofficial sources
- Be suspicious of unusual CAPTCHA requests. Question CAPTCHA prompts that ask you to copy and paste commands, run PowerShell scripts, or perform actions beyond simple image verification, as cybercriminals use fake CAPTCHA pages to trick users into executing malicious code that downloads malware
- Implement multi-factor authentication (MFA) on your accounts: Even though advanced attacks like adversary-in-the-middle (AiTM) phishing can try to get around it, MFA is still a crucial security measure that blocks many types of account compromise.
https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html