Cybersecurity researchers have raised alarms over a new malware campaign using fake CAPTCHA verification checks to distribute the Lumma information stealer. The campaign is global, targeting organizations in countries such as Argentina, Colombia, the United States, and the Philippines. Multiple industries have been affected, with telecom, healthcare, banking, and marketing being particularly targeted. The attack begins when a victim is redirected to a bogus CAPTCHA page on a compromised website, which instructs them to run a command that downloads and executes a malicious HTA file from a remote server. This method, previously seen in similar attacks, bypasses browser-based defenses by leveraging user actions outside of the browser.
The Lumma Stealer is part of a malware-as-a-service model that has been actively used in recent months.
Its flexible delivery methods make it harder for security tools to detect and block, especially when the malware relies on user interaction to facilitate the attack. By exploiting this technique, attackers can bypass some of the traditional security checks that would typically stop malware from being executed on infected systems. The stealer, which targets sensitive information, operates autonomously and continues to evolve, complicating efforts to defend against it.
In addition to fake CAPTCHA campaigns, the malware is being spread through counterfeit domains that impersonate trusted services like Reddit and WeTransfer. These domains redirect victims to download password-protected archive files that contain the malicious AutoIT dropper, which then executes the Lumma payload. This distribution method is part of a broader trend of cybercriminals using seemingly legitimate websites to host and deliver malware. Previously, threat actors had used over 1,300 fake domains masquerading as AnyDesk to distribute the Vidar Stealer in a similar fashion.
The campaign also highlights an emerging trend in social engineering tactics, where attackers are using services like Gravatar to create fake profiles that impersonate legitimate companies such as AT&T, Comcast, and Proton Mail. This technique allows attackers to craft convincing phishing campaigns that closely resemble trusted services, further enhancing the chances of deceiving users into disclosing sensitive information. By tailoring phishing profiles to the appearance of legitimate businesses, attackers increase their success rate, making detection more difficult for traditional security tools.
Read more about Lumma Info stealer Malware Here
Reference: