Lumma Stealer Resurfaces After Doxxing with New Browser Fingerprinting to Target High-Value Victims

Trend Micro researchers have observed a significant resurgence in Lumma Stealer activity—also tracked as Water Kurita—despite a targeted doxxing campaign last month that exposed the malware’s alleged core members and initially disrupted its operations.

This resurgence is accompanied by one of the most notable upgrades to the malware in recent months: browser fingerprinting, a powerful reconnaissance capability now embedded directly into Lumma’s command-and-control (C&C) pipeline.

Trend Micro notes that the underground infostealer ecosystem experienced “a significant upheaval” after Lumma operators were doxxed. Many customers migrated to competing platforms like Vidar and StealC. But telemetry has since shown a clear comeback: “Starting the week of October 20, 2025, Trend’s telemetry began to detect a notable uptick in activity associated with Lumma Stealer.”

This suggests that despite the operational chaos triggered by the doxxing campaign, Lumma’s developers have regrouped and begun deploying new, advanced capabilities to strengthen the malware’s foothold.

The most significant evolution is Lumma’s adoption of browser fingerprinting as part of its C&C operations: “Lumma Stealer now uses browser fingerprinting as part of its command-and-control (C&C) tactics.”

This technique involves deploying JavaScript payloads to collect:

• System and platform information
• Hardware specs (CPU, memory, GPU)
• WebGL and canvas signatures
• Audio and WebRTC metadata
• Network attributes
• Browser plugins, fonts, screen data, and more

Trend Micro describes the tactic as a stealthy, high-fidelity profiling step: “The fingerprinting technique involves collecting and exfiltrating system, network, hardware, and browser data using JavaScript payloads and stealthy HTTP communications.”

This allows Lumma to:

• Detect sandboxes and analysis environments
• Prioritize high-value victims
• Tune payloads for different system types
• Better evade behavioral detection

Trend researchers emphasize that these behaviors “enable Lumma Stealer to maintain operational continuity, assess victim environments to guide follow-on actions, and evade detection.”

The report highlights Lumma’s continued use of process injection techniques to blend into browser activity: “Lumma Stealer’s use of process injection techniques, specifically employing remote thread injection from MicrosoftEdgeUpdate.exe into legitimate Chrome browser processes (chrome.exe).”

This allows the malware to operate under the guise of trusted browser processes—dramatically reducing its detection footprint and mimicking normal web traffic.

Trend Micro identifies an upgraded C&C workflow featuring a dedicated fingerprinting endpoint:

• The malware contacts <C2>/api/set_agent
• Sends parameters: id, token, agent
• Receives JavaScript fingerprinting payloads
• Transmits data back using POST requests with act=log

Despite this evolution, Lumma’s core communication model remains intact: “Lumma Stealer maintains its core C&C communication structure… including parameters uid and cid.”

This indicates that the fingerprinting module is an augmentation, not a replacement—extending Lumma’s reach while preserving backward compatibility with existing criminal infrastructure.

The report also highlights cracks in Lumma’s operational foundation following the doxxing campaign. Underground visibility has declined, and Trend Micro notes that “multiple fraudulent Telegram accounts impersonating legitimate Lumma Stealer channels” have caused disruption among buyers and operators.

Despite its operational turbulence, Trend Micro assesses that Lumma remains a continuing threat: “Lumma Stealer remains an active threat with continued endpoint targeting and the documented deployment of GhostSocks as a secondary payload.”

Trend’s analysts conclude that the operators are choosing to “keep a low profile… while maintaining basic operations, likely waiting for the right opportunity to resume full-scale activities.”

Related Posts:

• Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
• Lumma Stealer Resurfaces After Takedown: New Stealth Tactics Target Users via Fake Cracks, CAPTCHAs & GitHub
• Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
• MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures