2300 Domains Burned — But the Core Survived. Lumma Returns: Meaner, Quieter, Deadlier
Was the malware takedown operation pointless?
Was the malware takedown operation pointless?
After a massive law enforcement operation in May that seized over 2300 domains and part of the infrastructure, the Lumma malware platform is gaining momentum once again. Despite the serious blow, the service was never fully shut down — its operators quickly responded and began rebuilding.
According to Trend Micro, this marks the revival of one of the most resilient and profitable malware-as-a-service (MaaS) platforms focused on data theft. Shortly after the infrastructure was seized, Lumma representatives posted on underground forums stating that the platform’s core server had not fallen into law enforcement’s hands, even though it was remotely wiped. They also announced the beginning of the service’s resurrection.
Within weeks, Trend Micro's telemetry recorded an active restoration: the number of command-and-control domains began to grow, and malicious traffic returned to large volumes. Analysts note that Lumma’s activity has nearly returned to pre-crackdown levels.
In the new version of the platform, the operators abandoned Cloudflare infrastructure — often blocked at the request of law enforcement — and switched to Selectel, a Russian provider whose jurisdiction makes takedowns and seizures much harder. As before, legitimate hosting services are used to mask command traffic, allowing the malware to remain undetected longer.
Currently, Lumma is spreading again via four main delivery vectors, proving that the infrastructure is not only back but actively used in new infection campaigns:
- Fake cracks and keygens: Through paid search ads and search engine manipulation, users land on fake websites. These sites deploy traffic distribution systems (TDS) that fingerprint the victim’s system before delivering the Lumma downloader.
- ClickFix pages: Hacked sites display fake CAPTCHA screens that trick users into manually executing PowerShell commands. These scripts load the malware directly into memory, bypassing disk writes and antivirus detection.
- GitHub repositories: Attackers create AI-generated descriptions for game cheats and upload them alongside malicious executables like TempSpoofer.exe or infected archives, giving the illusion of open-source projects.
- YouTube and Facebook: Videos and posts promote cracked software, with links in the descriptions pointing to external sites that host the Lumma payload. Some links even pass through sites.google.com to build user trust.
This multi-layered delivery strategy makes Lumma a particularly dangerous tool for cybercriminals. Despite the cleanup effort, including the domain takedown, the absence of arrests or criminal charges allows key actors to continue operations with minimal disruption.
Lumma’s return to the cybercrime market is a stark reminder that even large-scale international operations don’t guarantee the end of malware campaigns — unless followed by personalized criminal enforcement.
