Lumma Stealer Resurfaces After Doxxing with New Browser Fingerprinting to Target High-Value Victims
Do Son 
Trend Micro researchers have observed a significant resurgence in Lumma Stealer activityβalso tracked as Water Kuritaβdespite a targeted doxxing campaign last month that exposed the malwareβs alleged core members and initially disrupted its operations.
This resurgence is accompanied by one of the most notable upgrades to the malware in recent months: browser fingerprinting, a powerful reconnaissance capability now embedded directly into Lummaβs command-and-control (C&C) pipeline.
Trend Micro notes that the underground infostealer ecosystem experienced βa significant upheavalβ after Lumma operators were doxxed. Many customers migrated to competing platforms like Vidar and StealC. But telemetry has since shown a clear comeback: βStarting the week of October 20, 2025, Trendβs telemetry began to detect a notable uptick in activity associated with Lumma Stealer.β
This suggests that despite the operational chaos triggered by the doxxing campaign, Lummaβs developers have regrouped and begun deploying new, advanced capabilities to strengthen the malwareβs foothold.
The most significant evolution is Lummaβs adoption of browser fingerprinting as part of its C&C operations: βLumma Stealer now uses browser fingerprinting as part of its command-and-control (C&C) tactics.β
This technique involves deploying JavaScript payloads to collect:
- System and platform information
- Hardware specs (CPU, memory, GPU)
- WebGL and canvas signatures
- Audio and WebRTC metadata
- Network attributes
- Browser plugins, fonts, screen data, and more
Trend Micro describes the tactic as a stealthy, high-fidelity profiling step: βThe fingerprinting technique involves collecting and exfiltrating system, network, hardware, and browser data using JavaScript payloads and stealthy HTTP communications.β
This allows Lumma to:
- Detect sandboxes and analysis environments
- Prioritize high-value victims
- Tune payloads for different system types
- Better evade behavioral detection
Trend researchers emphasize that these behaviors βenable Lumma Stealer to maintain operational continuity, assess victim environments to guide follow-on actions, and evade detection.β
The report highlights Lummaβs continued use of process injection techniques to blend into browser activity: βLumma Stealerβs use of process injection techniques, specifically employing remote thread injection from MicrosoftEdgeUpdate.exe into legitimate Chrome browser processes (chrome.exe).β
This allows the malware to operate under the guise of trusted browser processesβdramatically reducing its detection footprint and mimicking normal web traffic.
Trend Micro identifies an upgraded C&C workflow featuring a dedicated fingerprinting endpoint:
- The malware contacts <C2>/api/set_agent
- Sends parameters: id, token, agent
- Receives JavaScript fingerprinting payloads
- Transmits data back using POST requests with act=log
Despite this evolution, Lummaβs core communication model remains intact: βLumma Stealer maintains its core C&C communication structureβ¦ including parameters uid and cid.β
This indicates that the fingerprinting module is an augmentation, not a replacementβextending Lummaβs reach while preserving backward compatibility with existing criminal infrastructure.
The report also highlights cracks in Lummaβs operational foundation following the doxxing campaign. Underground visibility has declined, and Trend Micro notes that βmultiple fraudulent Telegram accounts impersonating legitimate Lumma Stealer channelsβ have caused disruption among buyers and operators.
Despite its operational turbulence, Trend Micro assesses that Lumma remains a continuing threat: βLumma Stealer remains an active threat with continued endpoint targeting and the documented deployment of GhostSocks as a secondary payload.β
Trendβs analysts conclude that the operators are choosing to βkeep a low profileβ¦ while maintaining basic operations, likely waiting for the right opportunity to resume full-scale activities.β
Related Posts:
- Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
- Lumma Stealer Resurfaces After Takedown: New Stealth Tactics Target Users via Fake Cracks, CAPTCHAs & GitHub
- Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
- MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
- Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
