Fake CAPTCHA Lures Victims: Lumma Stealer Abuses Clipboard and PowerShell
Essential information
- Published
- 25/02/2025 19:40
- Modified
- 26/02/2025 08:54
- Tags
- 2025-02-25 clickfix fake captcha lumma stealer
- Related entities
- 11 observables, 1 malware
Description
A new malware campaign using fake CAPTCHA pages to deliver Lumma Stealer has been identified. The attack leverages ClickFix, a deceptive tactic involving phishing and fake reCAPTCHA pages impersonating Cloudflare verification. The infection chain begins with a fake CAPTCHA page tricking victims into running malicious commands copied to their clipboard. This launches mshta.exe, which executes a VBScript to run PowerShell commands. These commands download and execute a malicious payload, which acts as a loader for Lumma Stealer. The attack uses various evasion techniques, including anti-debugging measures and code injection. The stealer captures screen data, extracts clipboard information, and exfiltrates stolen data through multiple command-and-control servers.