EXECUTIVE SUMMARY:
A resurgence has been observed in campaigns conducted by the threat actor Water Kurita, involving the stealer known as Lumma Stealer, now exhibiting advanced browser fingerprinting capabilities that enhance its ability to profile and exploit compromised systems. It is layering new reconnaissance tactics atop its established infrastructure, increasing its effectiveness while minimizing detection. These developments present heightened risk to organizations operating web environments, especially those dependent on browser-based workflows or handling sensitive endpoint credentials.
The malware maintains its core command and control communication framework and layers in a new fingerprinting endpoint which collects browser and system metadata. Upon infection, Lumma Stealer injects into a legitimate browser process to masquerade activity under trusted browser traffic. The fingerprinting script gathers an extensive array of data: user agent strings, hardware details, WebGL and Canvas fingerprinting, audio context metrics, WebRTC ICE candidates, network interface details, screen resolution and color depth, available fonts and browser plugin and hardware metadata, connection type and bandwidth measurements, and other browser plugin and hardware metadata. After collecting, the data is serialized into JSON and sent back via POST to the command server, after which the browser may be redirected to about: blank to reduce visibility. The strategic use of fingerprinting allows the attackers to identify sandbox or VM environments, profile system capability for follow‑on payloads, and evade detection by blending with legitimate HTTP traffic and trusted browser processes. Underground forum monitoring indicates that while direct actor activity for Lumma Stealer has declined, marketplace transactions continue and the malware remains active albeit under a lower‑profile mode.
The evolution of Lumma Stealers infrastructure reflects a strategic shift: rather than abandoning its proven C2 mechanisms, the operators have augmented them with environment profiling. The combination of browser‑fingerprinting and traditional C2 protocols significantly increases the threats stealth, targeting precision, and resilience. It should therefore assume that credential‑stealers are not limited to simple exfiltration but may include advanced reconnaissance capabilities and should update their defensive posture accordingly.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| T1106 | Native API | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1055.012 | Process Injection | Process Hollowing | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1113 | Screen Capture | — |
| T1056.001 | Input Capture | Keylogging | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1056 | Input Capture |
| E1113 | Screen Capture | |
| Command and Control | B0030 | C2 Communication |
| Credential Access | F0002 | Keylogging |
| Defense Evasion | F0001 | Software Packing |
| Discovery | B0013 | Analysis Tool Discovery |
| E1082 | System Information Discovery | |
| E1083 | File and Directory Discovery | |
| Execution | B0011 | Remote Commands |
| Exfiltration | E1020 | Automated Exfiltration |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: