TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing

Junestherry Dela Cruz · 2025-10-16 · Read original ↗

ATT&CK techniques detected

10 predictions
T1588.001Malware
98%
“note that the accuracy of the doxed information and the actual involvement of the named individuals have not been independently verified. the campaign may also be motivated by personal or competitive grudges, and attribution should be treated with caution. response in the undergr…”
T1588.001Malware
97%
“##aler distribution. meanwhile, other malware authors are capitalizing on the situation by aggressively marketing their own alternative offerings, with the goal of attracting former lumma stealer customers. this opportunistic promotion is fueling rapid innovation and intensifying…”
T1588.001Malware
95%
“shifts in the underground : the impact of water kurita ’ s ( lumma stealer ) doxxing malware shifts in the underground : the impact of water kurita ’ s ( lumma stealer ) doxxing a targeted underground doxxing campaign exposed alleged core members of lumma stealer ( water kurita )…”
T1588.001Malware
89%
“and infrastructure details, regardless of their accuracy, could have lasting repercussions on lummastealer ’ s viability, customer trust, and the broader underground ecosystem. lumma stealer ’ s decline lumma stealer ’ s growth and wide adoption was due to its efficiency, support…”
T1588.001Malware
76%
“- this downshift in volume sparked aggressive competition among malware authors, possibly leading to new innovations and the rise of new infostealer variants in underground markets. introduction in september 2025, we noted a striking decline in new command and control infrastruct…”
T1588.002Tool
46%
“- this downshift in volume sparked aggressive competition among malware authors, possibly leading to new innovations and the rise of new infostealer variants in underground markets. introduction in september 2025, we noted a striking decline in new command and control infrastruct…”
T1555.003Credentials from Web Browsers
44%
“timeline the following sequence of events outlines the unraveling of lumma stealer ’ s operations during late 2025, based on public sources and internal telemetry : - early september, 2025 : trend telemetry began to register a steady decline in lumma stealer sample detections and…”
T1588.002Tool
43%
“and infrastructure details, regardless of their accuracy, could have lasting repercussions on lummastealer ’ s viability, customer trust, and the broader underground ecosystem. lumma stealer ’ s decline lumma stealer ’ s growth and wide adoption was due to its efficiency, support…”
T1588.002Tool
39%
“timeline the following sequence of events outlines the unraveling of lumma stealer ’ s operations during late 2025, based on public sources and internal telemetry : - early september, 2025 : trend telemetry began to register a steady decline in lumma stealer sample detections and…”
T1555.003Credentials from Web Browsers
32%
“administration / management : responsible for operational oversight. - development / technical : focused on crypter development for malware obfuscation. - unknown roles : three additional members whose specific functions were not disclosed but were significant enough to warrant e…”

Summary

A targeted underground doxxing campaign exposed alleged core members of Lumma Stealer (Water Kurita), resulting in a sharp decline in its activity and a migration of customers to rival infostealer platforms.