Water Kurita

Water Kurita is a tracking name for the Lumma Stealer cybercriminal operation, also tracked as Storm-2477. Lumma Stealer, also known as LummaC2 Stealer and LummaC2, has been offered as a malware-as-a-service infostealer on underground forums since at least August 2022 and was described as one of the most prominent information stealers in the reporting period. Trend Micro reported that the group’s activity declined sharply following an underground doxxing campaign targeting alleged core members, after previously resuming operations on rebuilt infrastructure about two months after a May law-enforcement disruption. The doxxing campaign allegedly exposed five supposed core members and was assessed by Trend Micro as likely involving insider knowledge or access to compromised accounts or databases; however, Trend Micro cautioned that the identities and involvement of the named individuals were not independently verified. Reported impacts included compromise of the group’s Telegram account, disrupting communications with customers. Trend Micro also reported that Lumma Stealer used browser fingerprinting as part of its command-and-control tactics. The decline in Lumma activity reportedly pushed some criminals toward alternative infostealers such as Vidar and StealC and affected the Amadey pay-per-install ecosystem used to distribute Lumma. No nation-state attribution is stated in the provided content.