March 12, 2025 4 Minute Read

During an Advanced Continual Threat Hunt (ACTH) investigation in early February 2025, Trustwave SpiderLabs discovered a resurgence of fake CAPTCHA verifications designed to deceive victims into executing malicious PowerShell scripts. This campaign employs a multi-stage PowerShell execution process, ultimately delivering infostealers such as Lumma and Vidar.

SpiderLabs comprehensively analyzed the attack chain, covering the initial infection vectors, staged payload execution, and decryption mechanisms. These instances are also not the first time the team has investigated the malicious use of CAPTCHA. Earlier reports include Unveiling the CAPTCHA Escape: The Dance of CAPTCHA Evasion Using TOR and Dissecting a Phishing Campaign with a CAPTCHA-based URL.

Attack Chain Overview

The attack begins when a user encounters a deceptive CAPTCHA verification on a compromised or malicious website. Instead of validating the user's identity, the CAPTCHA prompts the user to execute a PowerShell command.

Step-by-Step Execution

1. Fake CAPTCHA Prompt: The user is prompted to execute a command under the pretense of human verification.
2. Execution via mshta: The command invokes mshta to fetch and execute a remote HTA file.
3. HTA File Execution: The downloaded HTA file launches another PowerShell script.
4. Payload Decryption: The PowerShell script decrypts additional commands, leading to further multi-stage PowerShell script execution.
5. Infostealer Deployment: Ultimately, infostealers such as Lumma and Vidar are deployed to steal sensitive information and maintain persistence.

Figure 1. Step-by-Step Execution.

Initial PowerShell Execution

The attack starts with executing a PowerShell command, tricking the victim into believing it is part of a CAPTCHA verification process.

Malicious PowerShell Execution Command

Figure 2. Malicious PowerShell Execution Command.

The HTA file (RUKE.mp4) is executed using mshta, which then downloads and runs the next stage of the PowerShell script. This facilitates further infection and the execution of malicious payloads. An earlier investigation showed the adversary was agnostic when it came to the payload name and extension. 

Figure 3.

HTA File Execution and Decryption

The HTA file (RUKE.mp4) decrypts into a next-stage PowerShell script, which then downloads and executes additional payloads, advancing the infection chain.

Figure 4.

Decryption Mechanism

This Python script extracts the encrypted data by performing a simple subtraction cipher where each numerical value in the BSMz array is reduced by 634 to reveal the original character.

Python-Based Decryption Logic

def decrypt_message(BSMz):
decrypted_text = ''.join([chr(num - 634) if num >= 634 else '?' for num in BSMz])
return decrypted_text

# Given encrypted array
BSMz = [charcode here]

# Decrypt the message
decrypted_message = decrypt_message(BSMz)
print(decrypted_message)

Multi-Stage PowerShell Decryption

The decrypted PowerShell command contains another staged PowerShell payload, which, when Base64-decoded, reveals yet another layer of PowerShell code, likely responsible for executing additional commands or downloading further payloads.

Figure 5. Multi-Stage PowerShell Decryption.

The decoded PowerShell script dynamically retrieves and executes a method from the .NET Marshal class to decrypt SecureString data.

Figure 6. The decoded PowerShell script dynamically retrieves and executes a method from the .NET Marshal class to decrypt SecureString data.

Further decoding of the data reveals another PowerShell command that runs in hidden mode with the execution policy bypassed, dynamically retrieves a malicious URL, and downloads a payload using Net.WebClient, and executes it while obfuscating command names to evade detection.

Figure 7.

The decrypted PowerShell script retrieves and executes a staged PowerShell code from https://60d427489[.]kliplubuziy[.]shop/e290ec7eeb84ea465f4d2e1441fec32d[.]stage. It’s important to note that the site where the PowerShell code is staged differs in each campaign.

The retrieved PowerShell script is notably large in file size, suggesting an attempt to evade sandbox or emulation-based detection mechanisms, as many security solutions impose execution limits on script size to mitigate analysis.

Figure 8.

The XOR key in this function is stored in $GZluzrkhPzWWrrywFFx, which is converted into a byte array ($TcOWXyfVrAsomtTr) using UTF-8 encoding.

This key is then used in an XOR operation against the Base64-decoded payload ($nAGDWAuwiDTowy), producing the decrypted PowerShell script, which is stored in $SsiVDvLVzWszljN and returned for execution. During the investigation, we observed similar patterns of decryption routines in different campaigns.

Figure 9.

Figure 10.

Based on our investigation, the decrypted XOR key is AMSI_RESULT_NOT_DETECTED.

Figure 11.

The decimal value of the same XOR key was observed in another campaign.

Figure 12.

Final Routine to Drop Infostealers

Since we have the encrypted data and XOR key, with the help of the python code below, we can extract the final PowerShell payload:

import base64

# Read and convert decimal data from the file
# data.txt is the encoded decimal data
with open("data.txt", "r") as file:
decimal_data = [int(x) for x in file.read().strip().split(',')]

# Define XOR key
xor_key = b"AMSI_RESULT_NOT_DETECTED"

# Convert to bytes and decode Base64
decoded_data = base64.b64decode(bytes(decimal_data))

# Apply XOR decryptio
decrypted_data = bytes(decoded_data[i] ^ xor_key[i % len(xor_key)] for i in range(len(decoded_data)))

# Output the result

print(decrypted_data.decode())

Final Payload: Deployment of Lumma and Vidar Infostealers

The final PowerShell script decodes and executes a Base64-encoded payload containing the Lumma Stealer malware, delivering and running the infostealer on the compromised system.

Figure 13.

The investigation of the final payload reveals Lumma Stealer not only exfiltrates sensitive data but also downloads additional infostealers, including Telegram bot-based HijackLoader. Further analysis confirms the delivery of a Golang-based backdoor, expanding the attack's persistence and control capabilities.

The Golang-based HijackLoader is distributed through a malicious software package disguised as ‘TiVo Desktop’, a revoked signed executable. The package size of approximately 700MB strongly indicates a defense evasion tactic, likely aiming to bypass sandbox analysis and antivirus scanning by artificially inflating file sizes to hinder detection.

Appendix

File Hash

Lumma Stealer:

322579b54e4c6fecabeee9cdb75233d8
d67ee7ae28a09bf7f6d33118a9d07527

Vidar Stealer:

17190c7e5163b5c115e3d470f568ee5f

HijackLoader:

218261DAA1AEBD5484B29BF7F959B57A

Network:

188[.]114[.]97[.]3
185[.]195[.]97[.]57
191[.]101[.]230[.]18
172[.]67[.]149[.]66
hxxps[://]t[.]me/m08mbk
hxxps[://]wirybringero[.]shop/api
hxxps[://]farmagrupodw[.]com/temp/Elated[.]exe
hxxps[://]www[.]suarakutim[.]com/temp/wspconfig[.]rpm
hxxps[://]www[.]suarakutim[.]com/temp/hosebird[.]rpm
hxxps[://]steamcommunity[.]com/profiles/76561199724331900
hxxps[://]steamcommunity[.]com/profiles/76561199820567237
cryptocurrencytrends[.]click
guardeduppe[.]com
toppyneedus[.]biz

MITRE Hunt Package

Execution:

T1053.005 - Scheduled Task/Job: Scheduled Task
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1204.002 - User Execution: Malicious File

Privilege escalation:

T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control

Defense evasion:

T1036.003 - Masquerading: Rename System Utilities
T1218.010 - System Binary Proxy Execution: Regsvr32
T1562.002 - Impair Defenses: Disable Windows Event Logging
T1564.003 - Hide Artifacts: Hidden Window

Credential access:

T1552.001 - Unsecured Credentials: Credentials In Files
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers

Discovery:

T1012 - Query Registry
T1033 - System Owner/User Discovery
T1082 - System Information Discovery
T1518 - Software Discovery
T1614 - System Location Discovery

Command and Control:

T1071 - Application Layer Protocol
T1571 - Non-Standard Port
T1102 - Web Service

Trustwave's recent revamp of its Advanced Continual Threat Hunt (ACTH) with a new patent-pending methodology enables Trustwave to conduct threat hunts and monitor our customers as this campaign continues. Trustwave offers ACTH as an option in Trustwave's Managed Detection and Response Services. For more information, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and Unique Threat Findings.