{
  "name": "Fake CAPTCHA Lures Victims: Lumma Stealer Abuses Clipboard and PowerShell",
  "slug": "fake-captcha-lures-victims-lumma-stealer-abuses-clipboard-and-powershell",
  "description": "A new malware campaign using fake CAPTCHA pages to deliver Lumma Stealer has been identified. The attack leverages ClickFix, a deceptive tactic involving phishing and fake reCAPTCHA pages impersonating Cloudflare verification. The infection chain begins with a fake CAPTCHA page tricking victims into running malicious commands copied to their clipboard. This launches mshta.exe, which executes a VBScript to run PowerShell commands. These commands download and execute a malicious payload, which acts as a loader for Lumma Stealer. The attack uses various evasion techniques, including anti-debugging measures and code injection. The stealer captures screen data, extracts clipboard information, and exfiltrates stolen data through multiple command-and-control servers.",
  "published": "2025-02-25T18:40:33+00:00",
  "created_at": "2025-02-25T18:40:33+00:00",
  "modified_at": "2025-02-26T07:54:04+00:00",
  "created_at_opencti": "2025-02-25T18:40:33+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-25",
    "clickfix",
    "fake captcha",
    "lumma stealer"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "voicesharped.com"
      },
      {
        "id": "",
        "name": "torpdidebar.com"
      },
      {
        "id": "",
        "name": "rebeldettern.com"
      },
      {
        "id": "",
        "name": "kvndbb3.com"
      },
      {
        "id": "",
        "name": "importenptoc.com"
      },
      {
        "id": "",
        "name": "hopeefreamed.com"
      },
      {
        "id": "",
        "name": "garulouscuto.com"
      },
      {
        "id": "",
        "name": "deskbot.net"
      },
      {
        "id": "",
        "name": "breedertremnd.com"
      },
      {
        "id": "",
        "name": "ignoredshee.com"
      },
      {
        "id": "",
        "name": "actiothreaz.com"
      }
    ],
    "malware": [
      {
        "id": "0051da15-675b-4665-a6d1-872f64cf47ea",
        "name": "Lumma Stealer",
        "slug": "lumma-stealer"
      }
    ]
  },
  "external_refs": [
    "https://www.seqrite.com/blog/fake-captcha-lures-victims-lumma-stealer-abuses-clipboard-and-powershell/",
    "https://otx.alienvault.com/pulse/67be1cb1ca38dc53da25b9c0"
  ]
}