Malware Back to Business: Lumma Stealer Returns with Stealthier Methods Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. By: Junestherry Dela Cruz Jul 22, 2025 Read time: ( words) Save to Folio Key takeaways Not long after its takedown in May, Lumma Stealer is back. From June to July, the number of targeted accounts began resurging. Now, the malware is distributed with more discreet channels and stealthier evasion tactics. With its information-stealing capabilities, Lumma Stealer can siphon sensitive data such as credentials and private files. Also, as the threat is marketed as a malware-as-a-service (MaaS), even cybercriminals with little to no technical knowledge can wield this malware. Users can be lured to download the Lumma Stealer through fake cracked software, deceptive websites, and social media posts. From an organization’s perspective, employees with little to no cybersecurity awareness could fall prey to these attacks. Trend Vision One™ detects and blocks the indicators of compromise (IOCs) discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Lumma Stealer. Following the sweeping law enforcement operation against Lumma Stealer in early 2025, which led to the seizure of over 2,300 malicious domains, initial signs pointed to a significant disruption of this notorious information-stealing malware. However, recent monitoring of Lumma Stealer reveals a steady and quiet resurgence in its activity. Despite the takedown of its core infrastructure and marketplaces, new campaigns have emerged, leveraging delivery techniques such as GitHub abuse and fake CAPTCHA sites. Notably, the operators have shifted away from public underground forums, opting instead for more covert channels and refined evasion tactics, allowing them to rebuild their operations while avoiding the spotlight Lumma Stealer takedown: Recap In May 2025, a major global law enforcement operation targeted the Lumma Stealer malware, a prolific information-stealing MaaS that had been active since late 2022. This coordinated action involved several law enforcement agencies and private sector partners. The operation’s key achievements included: Seizure of infrastructure: Approximately 2,300 malicious domains forming the backbone of Lumma’s command-and-control (C&C) infrastructure were seized or blocked. This included five domains used as login panels for Lumma Stealer’s administrators and customers. Disruption of operations: The central command structure and marketplaces used to distribute and sell Lumma Stealer were taken down. Connections between infected machines and the malware’s servers were severed, effectively cutting off communication and data exfiltration. Attacker response and technical insights On May 24, shortly after the law enforcement takedown, the primary Lumma Stealer developer, part of the intrusion set internally referred to by Trend Micro as " Water Kurita ," posted a detailed statement on the XSS underground forum. The developer confirmed the seizure of nearly 2,500 domains and provided technical insight into the operation. According to the developer, while the infrastructure was compromised, law enforcement did not physically confiscate their server as it was located in a jurisdiction outside their reach. Instead, authorities allegedly exploited a previously unknown vulnerability, suspected to be in the server’s Integrated Dell Remote Access Controller (IDRAC), to gain access and format all disks, including backups, on two separate occasions. The developer also noted that law enforcement replaced the original control panel with a phishing site designed to collect client IP addresses and webcam access. In response, the Lumma Stealer team claimed to have restored server access, disabled the vulnerable remote management interface, and suggested that further attempts at resurgence are likely. Figure 1. Lumma developer’s initial post in the XSS Forum regarding the takedown (Image from Twilight Cyber) download Lumma Stealer resurgence: Post-takedown activity Following the law enforcement action against Lumma Stealer and its associated infrastructure, our team has observed clear signs of a resurgence in Lumma’s operations. Network telemetry indicates that Lumma’s infrastructure began ramping up again within weeks of the takedown. This rapid recovery highlights the group’s resilience and adaptability in the face of disruption. Figure 2. Hunted Lumma C&C URLs from Trend Micro telemetry download When examining targeting patterns against our customers, we noted a slight dip in the number of unique accounts targeted by Lumma malware in May 2025, coinciding with the timing of the takedown. However, this