The Lumma infostealer malware operation comes back to life following a major international law enforcement crackdown in May 2025, which disrupted its infrastructure and led to the seizure of over 2,300 domains.
At the time, Lumma’s operators confirmed the takedown on underground forums but said that their central server, while remotely wiped, had not been seized.
Since then, the malware-as-a-service (MaaS) platform has been steadily rebuilding. Reports from early June indicated signs of recovery, and by July, cybersecurity researchers say Lumma is operating at nearly pre-takedown levels.
According to Trend Micro, the platform has restored its infrastructure and reestablished trust within the cybercriminal community, enabling it to relaunch widespread infostealing campaigns.
Lumma has shifted away from previous use of Cloudflare and is now leveraging alternative cloud services, particularly the Russian provider Selectel, to avoid future disruptions.
The malware is currently being distributed through multiple vectors, including fake software cracks, compromised websites, GitHub repositories with AI-generated bait content, and social media platforms like YouTube and Facebook.
