Lumma Stealer Resurges with Adaptive Browser Fingerprinting to Evade Detection
After a brief decline following the doxxing of its operators, Lumma Stealer has returned with adaptive browser fingerprinting techniques that enhance victim profiling and evade security controls.
Lumma Stealer, an information-stealing malware tracked by Trend Micro as Water Kurita, has staged a comeback after a targeted doxxing campaign last month exposed its alleged core members. The exposure initially caused a sharp drop in activity as many customers migrated to rival stealers like Vidar and StealC. However, since the week of October 20, 2025, Trend Micro telemetry has detected a notable resurgence, accompanied by a significant evolution in the malware's command-and-control (C&C) tactics: the adoption of adaptive browser fingerprinting.
The new fingerprinting capability allows Lumma Stealer to collect an extensive array of system, network, hardware, and browser data using JavaScript payloads delivered via stealthy HTTP communications with its C&C server. The malware communicates with a dedicated endpoint at `/api/set_agent` on the C&C domain, sending parameters such as a unique 32-character hexadecimal identifier, a session token, and browser identification. This data enables the malware to assess victim environments in real time, guiding follow-on actions and helping it evade detection by appearing as legitimate browser traffic.
Technical analysis reveals that Lumma Stealer employs process injection techniques to achieve this. The malware uses remote thread injection from `MicrosoftEdgeUpdate.exe` into legitimate Chrome browser processes (`chrome.exe`), allowing it to execute within the context of a trusted process. This technique bypasses many security controls and makes the malicious traffic appear normal to network monitoring systems. The fingerprinting functionality augments, rather than replaces, the malware's existing C&C infrastructure, which continues to transmit traditional parameters like `uid` and `cid` for campaign tracking.
The resurgence of Lumma Stealer highlights the adaptability of infostealer operators in the face of disruption. The doxxing campaign, which exposed the alleged identities of Lumma's core members, initially seemed to cripple the operation. Yet the malware's operators have responded by layering new evasion techniques onto their proven communication frameworks, demonstrating a commitment to maintaining operational continuity. Trend Micro notes that the configuration downloaded from the C&C server now incorporates directives for browser profiling alongside traditional data exfiltration commands.
The impact of this evolution is significant for organizations targeted by information-stealing malware. Browser fingerprinting allows Lumma Stealer to tailor its attacks based on the victim's environment, potentially increasing the success rate of credential theft, session hijacking, and data exfiltration. The malware's ability to blend in with legitimate browser traffic also makes it harder for network-based detection tools to identify malicious activity. Trend Micro's Vision One platform detects and blocks the specific indicators of compromise mentioned in their research, and customers have access to hunting queries and threat intelligence reports.
This development is part of a broader trend in the cybercriminal ecosystem, where infostealers are increasingly adopting sophisticated evasion and profiling techniques. The cat-and-mouse game between security researchers and malware operators continues, with each disruption often leading to tactical innovations. As Lumma Stealer demonstrates, even when core members are exposed, the malware can adapt and return with new capabilities, underscoring the need for continuous monitoring and adaptive defenses.