Lumma Stealer is an information-stealing malware that has seen a resurgence since October 20, 2025, with new adaptive techniques enhancing its stealth and persistence. The malware now integrates browser fingerprinting into its command-and-control (C&C) communication tactics, using JavaScript payloads executed in the victim’s browser to collect extensive data about the system, network, hardware, and browser environment. This fingerprinting allows the malware to profile the victim environment dynamically, enabling it to adapt its behavior, evade detection mechanisms, and maintain operational continuity. The malware employs stealthy HTTP communications to exfiltrate data, reducing the likelihood of network-based detection. It continues to use process injection techniques (MITRE ATT&CK T1055) to hide its presence within legitimate processes and maintain persistence. The core C&C communication structure remains intact but is augmented with these fingerprinting capabilities, which serve multiple strategic purposes: enhanced evasion of security tools, improved targeting of valuable victims, and avoidance of detection by adapting to the environment. The malware’s use of browser fingerprinting is notable because it leverages client-side JavaScript to gather detailed telemetry, which is uncommon in many traditional stealers. Indicators of compromise include specific file hashes and domains associated with the malware’s infrastructure. The threat actor behind this campaign is identified as 'Water Kurita'. Although no CVE or known exploits are currently associated with this malware, its evolving tactics represent a sophisticated threat to organizations relying heavily on browser-based workflows and sensitive data stored or accessed via browsers.

For European organizations, the resurgence of Lumma Stealer with adaptive browser fingerprinting capabilities poses significant risks to confidentiality and integrity of sensitive data. The malware’s ability to stealthily collect system and browser information can lead to theft of credentials, personal data, and intellectual property. The use of process injection and stealthy HTTP communications complicates detection and response efforts, increasing dwell time and potential damage. Organizations in sectors such as finance, healthcare, and critical infrastructure, which often handle sensitive personal and operational data, are particularly vulnerable. The malware’s adaptive fingerprinting allows it to evade traditional security controls, potentially leading to widespread compromise within networks that rely on browser-based applications. This could result in regulatory non-compliance under GDPR due to data breaches, financial losses, reputational damage, and operational disruptions. The medium severity rating reflects the malware’s sophisticated evasion but also the lack of currently known widespread exploitation or zero-day vulnerabilities. However, the threat actor’s continued activity suggests a persistent risk that could escalate if combined with other attack vectors or exploited vulnerabilities.

1. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting process injection and anomalous process behaviors associated with Lumma Stealer. 2. Implement network monitoring to identify stealthy HTTP communications, focusing on unusual outbound traffic patterns and connections to suspicious domains such as those identified (e.g., jamelik.asia, pabuloa.asia). 3. Harden browser security by disabling or restricting JavaScript execution in untrusted contexts, using browser isolation technologies, and enforcing strict content security policies (CSP). 4. Employ multi-factor authentication (MFA) to reduce the impact of credential theft. 5. Conduct regular threat hunting exercises focusing on indicators of compromise (IOCs) such as the provided file hashes and domains. 6. Keep all software and security tools updated to reduce the attack surface and improve detection capabilities. 7. Educate users about phishing and social engineering tactics that may deliver the initial infection vector. 8. Segment networks to limit lateral movement if an infection occurs. 9. Use threat intelligence feeds to stay updated on new indicators and adapt defenses accordingly. 10. Consider deploying browser fingerprinting detection tools to identify and block malicious fingerprinting attempts.