Active Lumma Stealer Campaign Impacting U.S. SLTTs

CIS CTI reports an active Lumma Stealer campaign impacting U.S. SLTT organizations, leveraging malvertising and fake CAPTCHA prompts to trick users into executing obfuscated JavaScript and PowerShell (via Mshta), culminating in compilation and execution of a .NET Lumma payload that steals credentials and sensitive data. The report analyzes two CIS ESS-detected incidents, detailing multi-stage scripts, defense evasion (including AMSI-based XOR decryption), and delivery mechanisms, and provides comprehensive IOCs (IPs, domains, hashes) and MITRE ATT&CK mappings, with recommendations for heightened awareness and defenses against widespread info-stealer activity.