The Lumma infostealer malware-as-a-service (MaaS) platform, despite facing a significant law enforcement operation in May that resulted in the seizure of 2,300 domains and parts of its infrastructure, is gradually resuming its malicious activities. Although the takedown caused considerable disruption, it did not permanently shut down the operation. The immediate response from Lumma’s operators on XSS forums indicated their resilience, as they claimed their central server remained intact, albeit remotely wiped, and that restoration efforts were already underway. This swift action allowed the MaaS to rebuild its infrastructure and regain the trust of the cybercrime community, once again facilitating infostealing operations across multiple platforms.
According to analysis by Trend Micro, Lumma has nearly returned to its pre-takedown levels of activity, with their telemetry showing a rapid reconstruction of the malware’s infrastructure. Trend Micro’s report explicitly states, “Following the law enforcement action against Lumma Stealer and its associated infrastructure, our team has observed clear signs of a resurgence in Lumma’s operations.” They further noted that “Network telemetry indicates that Lumma’s infrastructure began ramping up again within weeks of the takedown,” underscoring the speed of their recovery. This rapid resurgence highlights the determination and adaptability of the threat actors behind Lumma.
In their efforts to evade future detection and takedowns, Lumma has adapted its operational tactics. While it continues to leverage legitimate cloud infrastructure to mask its malicious traffic, it has shifted its primary cloud provider from Cloudflare to alternative services, most notably the Russian-based Selectel. This change in infrastructure providers is a strategic move designed to circumvent the measures that led to its previous disruption, demonstrating a proactive approach to maintaining its operational continuity in the face of law enforcement pressure.
Trend Micro researchers have identified four key distribution channels that Lumma is currently employing to achieve new infections, indicating a full return to its multifaceted targeting strategies. These include the promotion of fake cracks and keygens through malvertising and manipulated search results, directing victims to deceptive websites that fingerprint their systems. Another method, “ClickFix,” involves compromised websites displaying fake CAPTCHA pages that trick users into executing PowerShell commands to load Lumma directly into memory, thus evading file-based detection.
Furthermore, Lumma’s distribution now heavily relies on platforms like GitHub, where attackers create repositories with AI-generated content advertising fake game cheats, hosting Lumma payloads as executables or in ZIP files. The re-emergence also extends to YouTube videos and Facebook posts that promote cracked software, leading users to external sites, some of which abuse trusted services like sites.google.com to appear legitimate. The persistent re-emergence of Lumma as a significant threat underscores a critical point: law enforcement actions, particularly those without arrests or indictments, may be insufficient to deter such determined and profitable MaaS operations, as the leading operators likely perceive these disruptions as routine obstacles rather than definitive shutdowns.
Reference:
