Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Nov. 14, 2025, 11:49 a.m.

Description

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data using JavaScript payloads and stealthy HTTP communications. These new behaviors enable Lumma Stealer to maintain operational continuity, assess victim environments, and evade detection. The malware continues to use process injection techniques and maintains its core C&C communication structure while incorporating new fingerprinting capabilities. This hybrid approach serves multiple strategic purposes, including enhanced evasion, improved targeting, and detection avoidance.

External References

https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html
https://otx.alienvault.com/pulse/691695b683ab8cc0fedbd3fe
Tags
infostealer
lumma stealer
data exfiltration
process injection
evasion techniques
command-and-control
ghostsocks
browser fingerprinting
2025-11-14
cybercriminal activity

Date

  • Created: Nov. 14, 2025, 2:36 a.m.
  • Published: Nov. 14, 2025, 2:36 a.m.
  • Modified: Nov. 14, 2025, 11:49 a.m.

Indicators

  • 516cd47d091622b3eb256d25b984a5ede0d5dd9540e342a28e199082395e65e5
  • pabuloa.asia
  • jamelik.asia
Download all indicators here!

Attack Patterns

  • GhostSocks
  • Lumma Stealer
  • Water Kurita