Cyber Security News

Beware! Fake CAPTCHA Hidden LummaStealer Threat Installing Silently

Cybersecurity researchers at G DATA have uncovered a sophisticated malware campaign utilizing fake booking websites to deliver the LummaStealer malware through deceptive CAPTCHA prompts.

This new attack vector, discovered in January 2025, marks a significant shift in LummaStealer’s distribution methods, moving from traditional channels like GitHub and Telegram to malvertising techniques.

The infection chain begins when unsuspecting users visit a malicious URL masquerading as a payment confirmation page.

This page redirects to a fake booking itinerary site featuring a fraudulent CAPTCHA verification process.

LummaStealerLummaStealer
Verification Steps

Unlike legitimate CAPTCHAs, this version instructs users to execute a Windows Run command, unknowingly initiating the malware download.

Complex Infection Chain Bypasses Security Measures

The attack employs a multi-stage infection process to evade detection.

An obfuscated PHP script, encrypted with ROT13, injects a Base64-encoded PowerShell command into the user’s clipboard.

When executed, this command triggers a series of actions that ultimately download and run the LummaStealer payload.

Notably, the LummaStealer samples in this campaign are significantly larger than previous versions, increasing in size by up to 350%.

This inflation is achieved through binary padding, a technique that adds junk data to the malicious file.

Infection Chain Flow

This approach aims to circumvent file size limitations in security tools and delay analysis, potentially reducing the effectiveness of signature-based antivirus detections.

Global Reach and Evolving Tactics

The campaign demonstrates a global scope, with observed targets in countries such as the Philippines and Germany.

Researchers noted that the attack’s geographic focus shifted over time, suggesting an expansion of the threat actors’ targeting strategy.

LummaStealer continues to employ sophisticated obfuscation techniques, including Indirect Control Flow and Dispatcher Blocks, to complicate analysis and reverse engineering efforts.

These methods dynamically calculate target addresses at runtime, making it challenging for security researchers to trace the malware’s execution path.

As LummaStealer adopts new distribution tactics and refines its evasion techniques, cybersecurity experts anticipate its continued prevalence in the coming months.

The threat actors behind this campaign have demonstrated their ability to adapt quickly, leveraging emerging social engineering techniques like ClickFix to maximize their chances of success.

Users are advised to exercise caution when interacting with booking websites and to be particularly wary of unusual CAPTCHA verification processes that request system-level actions.

As always, maintaining up-to-date security software and practicing good digital hygiene remain crucial in defending against evolving cyber threats.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in its…

3 hours ago

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically designed…

3 hours ago

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

6 hours ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

6 hours ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

21 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

21 hours ago