DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer

Feb. 28, 2025, 11:12 a.m.

Description

Between October 2024 and February 2025, LummaStealer malware was distributed via fake CAPTCHA pages, targeting users who store sensitive information in browsers and cryptocurrency wallets. The malware, available as a Malware-as-a-Service, collects data for fraud and unauthorized access. Threat actors use fake CAPTCHA to establish trust and initiate obfuscated scripts, leading to secondary payloads and lateral movements. Infoblox's DNS monitoring detected malicious domains an average of 46.8 days before public reports, providing early protection for customers. Given the easy access to malicious adtech services and fake CAPTCHA content, continued and increased usage by threat actors is expected.

External References

https://blogs.infoblox.com/threat-intelligence/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer
https://otx.alienvault.com/pulse/67c191a85d9e07817d37c35e
Tags
lummac2
malware-as-a-service
information stealer
early detection
fake captcha
lummastealer
malicious domains
2025-02-27
dns traffic analysis
adtech
2025-02-28
dns monitoring

Date

  • Created: Feb. 28, 2025, 10:36 a.m.
  • Published: Feb. 28, 2025, 10:36 a.m.
  • Modified: Feb. 28, 2025, 11:12 a.m.

Indicators

  • h3.errantrefrainundocked.shop
  • googlsearchings.art
  • amazon-ny-gifts.com
  • writerospzm.shop
  • futureddospzmvq.shop
  • deallerospfosu.shop
  • celebratioopz.shop
  • quialitsuzoxm.shop
  • languagedscie.shop
  • complaintsipzzx.shop
  • bassizcellskz.shop
Download all indicators here!

Attack Patterns

  • LummaStealer
  • LummaC2