Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

    Thursday, November 20, 2025 In: Threat Research Print

    Date: 11/20/2025

    Severity: High

    Summary

    After an initial drop in activity following the doxxing of its alleged members, Lumma Stealer has recently surged in activity. Researchers observed new adaptive browser-fingerprinting tactics, where the malware uses JavaScript-based data collection and stealthy HTTP communication to gather detailed system, network, hardware, and browser information. These updates help Lumma Stealer maintain operations, choose follow-on actions based on the victim’s environment, and better evade detection.

    Indicators of Compromise (IOC) List

    URLs/Domain

    pabuloa.asia

    jamelik.asia

    Hash

    516cd47d091622b3eb256d25b984a5ede0d5dd9540e342a28e199082395e65e5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "pabuloa.asia" or siteurl like "pabuloa.asia" or url like "pabuloa.asia" or domainname like "jamelik.asia" or siteurl like "jamelik.asia" or url like "jamelik.asia"

    Detection Query 2 :

    sha256hash IN ("516cd47d091622b3eb256d25b984a5ede0d5dd9540e342a28e199082395e65e5")

    Reference:

    https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html


    Tags

    MalwareLumma Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.