Cybersecurity researchers at G DATA have uncovered a sophisticated malware campaign utilizing fake booking websites to deliver the LummaStealer malware through deceptive CAPTCHA prompts.
This new attack vector, discovered in January 2025, marks a significant shift in LummaStealer’s distribution methods, moving from traditional channels like GitHub and Telegram to malvertising techniques.
The infection chain begins when unsuspecting users visit a malicious URL masquerading as a payment confirmation page.
.png
)
This page redirects to a fake booking itinerary site featuring a fraudulent CAPTCHA verification process.
Unlike legitimate CAPTCHAs, this version instructs users to execute a Windows Run command, unknowingly initiating the malware download.
Complex Infection Chain Bypasses Security Measures
The attack employs a multi-stage infection process to evade detection.
An obfuscated PHP script, encrypted with ROT13, injects a Base64-encoded PowerShell command into the user’s clipboard.
When executed, this command triggers a series of actions that ultimately download and run the LummaStealer payload.
Notably, the LummaStealer samples in this campaign are significantly larger than previous versions, increasing in size by up to 350%.
This inflation is achieved through binary padding, a technique that adds junk data to the malicious file.
This approach aims to circumvent file size limitations in security tools and delay analysis, potentially reducing the effectiveness of signature-based antivirus detections.
Global Reach and Evolving Tactics
The campaign demonstrates a global scope, with observed targets in countries such as the Philippines and Germany.
Researchers noted that the attack’s geographic focus shifted over time, suggesting an expansion of the threat actors’ targeting strategy.
LummaStealer continues to employ sophisticated obfuscation techniques, including Indirect Control Flow and Dispatcher Blocks, to complicate analysis and reverse engineering efforts.
These methods dynamically calculate target addresses at runtime, making it challenging for security researchers to trace the malware’s execution path.
As LummaStealer adopts new distribution tactics and refines its evasion techniques, cybersecurity experts anticipate its continued prevalence in the coming months.
The threat actors behind this campaign have demonstrated their ability to adapt quickly, leveraging emerging social engineering techniques like ClickFix to maximize their chances of success.
Users are advised to exercise caution when interacting with booking websites and to be particularly wary of unusual CAPTCHA verification processes that request system-level actions.
As always, maintaining up-to-date security software and practicing good digital hygiene remain crucial in defending against evolving cyber threats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
