Lumma Stealer Resurfaces After Takedown: New Stealth Tactics Target Users Via Fake Cracks, CAPTCHAs & GitHub

Following a sweeping law enforcement operation in May—which dismantled over 2,300 domains and disrupted portions of its infrastructure—the malicious Lumma platform is once again exhibiting a resurgence in activity. Despite the significant blow, the service never fully ceased to exist: its operators responded swiftly and began rebuilding their capabilities almost immediately.

According to Trend Micro, Lumma remains one of the most resilient and profitable malware-as-a-service (MaaS) platforms, with a primary focus on harvesting sensitive data. In the immediate aftermath of the infrastructure takedown, Lumma’s representatives assured dark web forum users that their core server had evaded direct law enforcement control, despite being remotely deleted. They also announced the beginning of efforts to resurrect the platform.

Over the following weeks, Trend Micro’s telemetry recorded a rapid expansion of technical infrastructure: the number of command nodes increased, and malicious traffic once again surged to notable levels. Analysts estimate that Lumma’s operational volume has nearly returned to the levels observed prior to the May crackdown.

In its latest iteration, Lumma’s operators have abandoned the use of cloud services like Cloudflare, which are frequently blocked at the behest of law enforcement agencies. Instead, they have migrated to the infrastructure of Russian provider Selectel—whose jurisdiction complicates legal intervention by international authorities. Legitimate hosting providers continue to be used to mask command-and-control communications, allowing the malware to maintain stealth and evade detection.

At present, Lumma is being distributed through four independent delivery vectors, underscoring not only the restoration of its infrastructure but also the continuation of a deliberate campaign to infect new systems.

• Fake cracks and keygens: Through search engine ads and SEO manipulation, users are redirected to counterfeit websites embedded with Traffic Direction Systems (TDS) that analyze device parameters before serving the Lumma loader.
• ClickFix mechanisms: Compromised web resources display fake CAPTCHA challenges, coercing victims into manually executing PowerShell commands. These scripts inject the payload directly into memory, bypassing both the file system and antivirus solutions.
• GitHub repositories: Threat actors upload malicious files—such as “TempSpoofer.exe”—disguised as gaming cheats or tools within open-source projects to lend an air of legitimacy.
• YouTube and Facebook: Video content and posts promote supposedly “cracked” software, embedding links to Lumma downloaders. These often route through sites like sites.google.com to increase user trust.

This diversified delivery framework makes Lumma a formidable weapon in the cybercriminal arsenal. Despite the recent takedown, the absence of arrests or prosecutions has allowed key perpetrators to continue their operations with little interruption. In practice, such crackdowns have become a recurring backdrop to the ongoing lifecycle of the MaaS ecosystem.

As this case illustrates, even large-scale international operations cannot ensure the cessation of malicious services unless they are accompanied by targeted accountability and personal sanctions.