Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics
Essential information
- Published
- 14/11/2025 02:36
- Modified
- 14/11/2025 11:49
- Tags
- 2025-11-14 browser fingerprinting command and control cybercriminal activity data exfiltration evasion techniques ghostsocks infostealer lumma stealer process injection
- Related entities
- 3 observables, 1 intrusion sets (apt), 10 techniques (mitre), 2 malware
Description
Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data using JavaScript payloads and stealthy HTTP communications. These new behaviors enable Lumma Stealer to maintain operational continuity, assess victim environments, and evade detection. The malware continues to use process injection techniques and maintains its core C&C communication structure while incorporating new fingerprinting capabilities. This hybrid approach serves multiple strategic purposes, including enhanced evasion, improved targeting, and detection avoidance.