- Phishing campaign imitates CAPTCHA to deliver hidden malware commands
- PowerShell Command Hidden in Verification Leads to Lumma Stealer Attack
- Educating users about phishing tactics is key to preventing these types of attacks
CloudSek has discovered a sophisticated method to distribute Lumma Stealer malware that poses a serious threat to Windows users.
This technique relies on deceptive human verification pages that trick users into executing harmful commands without knowing it.
While the campaign primarily focuses on spreading the Lumma Stealer malware, its methodology could be adapted to deliver a wide variety of other malware.
How the phishing campaign works
The campaign employs trusted platforms such as Amazon S3 and various content delivery networks (CDNs) to host phishing sites, using modular malware delivery where the initial executable downloads additional components or modules, complicating detection and analysis efforts.
The infection chain in this phishing campaign begins when threat actors lure victims to phishing websites that imitate legitimate Google CAPTCHA verification pages. These pages present themselves as a necessary identity verification step, tricking users into believing they are completing a standard security check.
The attack takes a more deceptive turn once the user clicks the “Verify” button. Behind the scenes, a hidden JavaScript function is activated, which copies a base64-encoded PowerShell command to the user’s clipboard without their knowledge. The phishing page then instructs the user to perform an unusual series of steps, such as opening the Run dialog box (Win+R) and pasting the copied command. These instructions, once followed, cause the PowerShell command to be executed in a hidden window, which is invisible to the user, making detection by the victim almost impossible.
The hidden PowerShell command is the crux of the attack. It connects to a remote server to download additional content, such as a text file (a.txt) containing instructions to retrieve and run the Lumma Stealer malware. Once this malware is installed on the system, it establishes connections with domains controlled by attackers. This allows attackers to compromise the system, steal sensitive data, and potentially launch more malicious activities.
To protect against this phishing campaign, both users and organizations should prioritize security awareness and implement proactive defenses. A fundamental first step is user education.
The deceptive nature of these attacks (disguised as legitimate verification processes) shows the importance of informing users about the dangers of following suspicious prompts, especially when asking them to copy and paste unknown commands. Users should be trained to recognize phishing tactics and question unexpected CAPTCHA checks or unknown instructions that involve executing system commands.
In addition to education, implementing strong endpoint protection is essential to defend against PowerShell-based attacks. Since the attackers in this campaign rely heavily on PowerShell to execute malicious code, organizations must ensure that their security solutions are capable of detecting and blocking these activities. Advanced endpoint protection tools with behavioral analysis and real-time monitoring can detect unusual command executions, helping prevent malware from being downloaded and installed.
Organizations should also take a proactive approach by monitoring network traffic for suspicious activity. Security teams should pay close attention to connections to newly registered or uncommon domains, which attackers often use to distribute malware or steal sensitive data.
Lastly, keeping systems up to date with the latest patches is a crucial defense mechanism. Regular updates ensure that known vulnerabilities are addressed, limiting the opportunity for attackers to exploit outdated software in their efforts to distribute malware like Lumma Stealer.
“This new tactic is particularly dangerous because it plays on users’ trust in the widely recognized CAPTCHA verifications they regularly encounter online. By disguising malicious activity behind what appears to be a routine security check, attackers can deceive “What is more worrying is that this technique, currently distributed by Lumma Stealer, could be adapted to spread other types of malware, making it a very versatile and evolving threat,” Anshuman said. Das, security researcher at NubeSEK.
