PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2025-11-13T00:00:00+00:00

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

In this blog entry, Trend™ Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data.

Malware

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

In this blog entry, Trend™ Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data.

By: Junestherry Dela Cruz, Sarah Pearl Camiling

Nov 13, 2025

Read time: ( words)

Save to Folio

Key takeaways

  • The doxxing of Lumma Stealer’s alleged core members initially led to a decline in activity, but Trend™ Research observed an increase in Lumma Stealer-related activity (which Trend Micro tracks as Water Kurita) since the week of October 20, as well as new behaviors and C&C techniques.
  • Lumma Stealer now uses browser fingerprinting as part of its command-and-control (C&C) tactics, supplementing traditional C&C protocols. The fingerprinting technique involves collecting and exfiltrating system, network, hardware, and browser data using JavaScript payloads and stealthy HTTP communications with Lumma Stealer’s C&C server.
  • These newly observed behaviors enable Lumma Stealer to maintain operational continuity, assess victim environments to guide follow-on actions, and evade detection.
  • Trend Vision One™ detects and blocks the specific indicators of compromise (IoCs) mentioned in this blog, and offers customers access to hunting queries, threat insights, and intelligence reports related to Lumma Stealer.

In the wake of a targeted doxxing campaign last month that exposed the alleged core members of Lumma Stealer (which Trend Micro tracks as Water Kurita), the underground infostealer landscape experienced a significant upheaval. As detailed in Trend™ Research’s previous report, this exposure led to a marked decline in Lumma Stealer's activity, with many of its customers migrating to rival platforms such as Vidar and StealC. However, recent observations from our telemetry indicate a resurgence in Lumma Stealer activity, accompanied by notable changes in its command-and-control (C&C) behaviors, particularly the introduction of browser fingerprinting techniques.

Detailed analysis

Starting the week of October 20, 2025, Trend’s telemetry began to detect a notable uptick in activity associated with Lumma Stealer, revealing a shift in its targeting strategy as new endpoints emerged as prime targets (Figure 1). A key development in this resurgence is the implementation of browser fingerprinting techniques by the malware, representing a significant evolution in its C&C infrastructure while maintaining core communication protocols consistent with previous versions.

[Figure 1. Endpoints targeted by Lumma Stealer from October 1 to November 3, 2025]

Figure 1. Endpoints targeted by Lumma Stealer from October 1 to November 3, 2025

download

Process injection and browser hijacking

The analyzed samples demonstrate Lumma Stealer's use of process injection techniques, specifically employing remote thread injection from MicrosoftEdgeUpdate.exe into legitimate Chrome browser processes (chrome.exe), as seen in Figure 2. This technique allows the malware to execute within the context of a trusted browser process, effectively bypassing many security controls and appearing as legitimate browser traffic to network monitoring systems.

[Figure 2. New Lumma Stealer browser fingerprinting behavior as seen from Trend’s XDR logs]

Figure 2. New Lumma Stealer browser fingerprinting behavior as seen from Trend’s XDR logs

download

Network traffic analysis

Network capture analysis reveals the malware's communication patterns with the C&C infrastructure. The initial connection to the fingerprinting endpoint at <c2 domain>/api/set_agent is clearly visible in the network traffic, showing the HTTP GET request with the associated parameters including the unique identifier and authentication token (Figure 3). This traffic pattern represents a new addition to Lumma Stealer's communication repertoire, occurring alongside its traditional C&C protocols.

[Figure 3. Browser fingerprinting behavior]

Figure 3. Browser fingerprinting behavior

download

New C&C endpoint: Browser fingerprinting infrastructure

The malware now communicates with a dedicated fingerprinting endpoint at /api/set_agent on the C&C domain (jamelik[.]asia in this case). The initial GET request includes several parameters:

  • id - A unique 32-character hexadecimal identifier
  • token - A session token for authentication
  • agent - Browser identification (Chrome in this case)

Despite the introduction of browser fingerprinting capabilities, our analysis confirms that Lumma Stealer maintains its core C&C communication structure as previously documented in Microsoft’s research (Figure 4). Debug analysis reveals the malware continues to transmit traditional C&C parameters (Figure 5), including:

  • uid - The unique identifier for the Lumma Stealer client/operator and campaign (updated from 'lid' in version 6)
  • cid - Optional field identifying additional Lumma Stealer features (updated from 'j' in version 6)

[Figure 4. Using WinHTTP APIs, the malware establishes an outbound connection to its C&C server, enabling remote operators to issue commands, exfiltrate data, or deploy additional payloads]

Figure 4. Using WinHTTP APIs, the malware establishes an outbound connection to its C&C server, enabling remote operators to issue commands, exfiltrate data, or deploy additional payloads

download

[Figure 5. URL parameters uid and cid are transmitted to Lumma Stealer C&C for operators to track campaigns]

Figure 5. URL parameters uid and cid are transmitted to Lumma Stealer C&C for operators to track campaigns

download

This consistency indicates that the fingerprinting functionality represents an augmentation rather than a replacement of existing C&C infrastructure, suggesting the operators are layering new capabilities onto proven communication frameworks.

Configuration management

Analysis of the downloaded configuration data (Figure 6) reveals how the malware orchestrates both traditional data exfiltration and the new fingerprinting operations. The configuration maintains the established structure for managing C&C domains, command parameters, and operational directives while incorporating new directives for browser profiling activities.

[Figure 6. Downloaded configuration from C&C server]

Figure 6. Downloaded configuration from C&C server

download

Browser fingerprinting payload

Upon accessing the fingerprinting endpoint, the C&C server responds with JavaScript code designed to collect an extensive array of system and browser characteristics. The fingerprinting script gathers the following information:

System information

  • Platform details, user agent strings, and language preferences
  • Hardware specifications including CPU cores, device memory, and touch capabilities
  • Browser vendor information and application metadata

Browser profiling

  • WebGL fingerprinting - Extracts graphics card vendor, renderer information, and supported extensions
  • Canvas fingerprinting - Generates unique visual signatures by rendering text and shapes
  • Audio context analysis - Captures audio system capabilities including sample rates and channel configurations.
  • WebRTC information - Collects network interface details through Interactive Connectivity Establishment (ICE) candidates and Session Description Protocol (SDP) data

Network and hardware characteristics

[...]

Original source

Reply