The Lumma Stealer has returned after Microsoft and law enforcement caused significant disruption to its infrastructure, Trend Micro reported on Tuesday.
Microsoft and law enforcement agencies in several countries announced in May that they had taken down and blocked 2,300 malicious domains that had “formed the backbone of the Lumma Stealer infrastructure”.
In addition, authorities managed to take control of the Lumma control panel, disrupting a critical component of the marketplace used to buy and sell access to the malware. The connections between infected devices and the malware’s servers were cut off, preventing communication and data exfiltration.
Lumma, which in the two months leading up to its takedown had infected nearly 400,000 Windows PCs worldwide, enables cybercriminals to steal personal information, credentials, and financial data from compromised systems.
Shortly after the law enforcement operation was announced, the main developer of the Lumma malware issued a statement confirming that thousands of domains had been seized.
The developer also said data on servers had been erased, and a phishing page was deployed to collect the IPs of the malware’s users. Law enforcement also attempted to gain access to users’ webcams, likely in an effort to identify them.
The malware’s developer suspected that law enforcement had exploited a zero-day vulnerability to hack a server, but noted that the physical machine could not be seized due to it being located in a country where authorities do not have access.
Data collected by Trend Micro showed that the cybercriminals quickly started restoring the infrastructure, with hundreds of new command and control (C&C) URLs spotted in the weeks after the takedown.
Several significant changes have been observed by the security firm following the malware’s resurgence.
In terms of network infrastructure changes, Lumma Stealer is now relying less on Cloudflare services to obfuscate its domains. Some domains still use Cloudflare, but many are now using other service providers — including ones based in Russia — that may not be as willing to work with law enforcement.
In addition, Trend Micro noted that the malware is being distributed through “more discreet channels” in the post-disruption campaigns.
In recent campaigns the Lumma malware has been distributed via websites offering fake software cracks, serial key generators, and free software. Compromised websites set up to leverage the ClickFix method have also been used for malware distribution.
The cybercriminals have also created GitHub accounts that serve the malware under the guise of game cheats. Social media posts on YouTube and Facebook — in many cases offering software cracks — have also been used for distribution.
“The ability of Lumma Stealer’s operators to regroup and innovate poses a continued risk to organizations and individuals worldwide,” Trend Micro said. “This emphasizes the need for ongoing vigilance, proactive threat intelligence, and sustained collaboration between law enforcement and the cybersecurity community. Without this, even the most significant takedowns might only offer temporary relief from evolving cyber threats.”
Related: Iranian APT Targets Android Users With New Variants of DCHSpy Spyware
Related: Google Sues Operators of 10-Million-Device Badbox 2.0 Botnet
Related: Threat Actors Use SVG Smuggling for Browser-Native Redirection
