Fake CAPTCHA Lures Victims: Lumma Stealer Abuses Clipboard and PowerShell
Feb. 26, 2025, 8:54 a.m.
Description
A new malware campaign using fake CAPTCHA pages to deliver Lumma Stealer has been identified. The attack leverages ClickFix, a deceptive tactic involving phishing and fake reCAPTCHA pages impersonating Cloudflare verification. The infection chain begins with a fake CAPTCHA page tricking victims into running malicious commands copied to their clipboard. This launches mshta.exe, which executes a VBScript to run PowerShell commands. These commands download and execute a malicious payload, which acts as a loader for Lumma Stealer. The attack uses various evasion techniques, including anti-debugging measures and code injection. The stealer captures screen data, extracts clipboard information, and exfiltrates stolen data through multiple command-and-control servers.
Tags
Date
- Created: Feb. 25, 2025, 7:40 p.m.
- Published: Feb. 25, 2025, 7:40 p.m.
- Modified: Feb. 26, 2025, 8:54 a.m.
Indicators
- voicesharped.com
- torpdidebar.com
- rebeldettern.com
- kvndbb3.com
- importenptoc.com
- hopeefreamed.com
- garulouscuto.com
- deskbot.net
- breedertremnd.com
- ignoredshee.com
- actiothreaz.com
Attack Patterns
- Lumma Stealer