{
	"id": "69a727e3-b61c-455b-9d77-7e51e8849866",
	"created_at": "2026-04-06T00:11:41.754219Z",
	"updated_at": "2026-04-10T03:21:41.451418Z",
	"deleted_at": null,
	"sha1_hash": "18ab8095af8000380d2f1bee7d6231970def2821",
	"title": "Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2073887,
	"plain_text": "Infostealer LummaC2 Spreading Through Fake CAPTCHA\r\nVerification Page - ASEC\r\nBy ATCP\r\nPublished: 2025-01-07 · Archived: 2026-04-05 18:57:35 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) previously introduced the DarkGate malware which spreads using\r\nthe paste function in a blog post.\r\nWarning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V)\r\nThe distribution method in this case initially involved spreading malware through HTML attachments disguised as\r\nMS Word files in phishing emails. However, LummaC2 has been recently identified as spreading through a fake\r\nCAPTCHA verification page.\r\n1. Distribution Channel\r\nWhen accessing the initial distribution page, a familiar authentication screen is displayed as shown below.\r\nClicking the “I’m not a robot” button on the page copies a command that connects to a malicious URL to the\r\nclipboard.\r\nhttps://asec.ahnlab.com/en/85699/\r\nPage 1 of 6\n\nFigure 1. A fake CAPTCHA verification page\r\nThe threat actor explains a fake authentication step to trick users into executing the command copied to the\r\nclipboard using shortcut keys.\r\nFigure 2. The code that copies a command to the clipboard\r\n2. Obfuscated HTA File\r\nThe command uses the “mshta.exe” process to execute a file (web44.mp4) containing a malicious script from a\r\nmalicious URL. The file contains content unrelated to the mp4 extension and is obfuscated, which makes it\r\ndifficult to recognize it as a script. Although extracting the file’s strings can reveal the script, it is also obfuscated.\r\nhttps://asec.ahnlab.com/en/85699/\r\nPage 2 of 6\n\nFigure 3. (Left: the original web44.mp4 file/Right: A script file revealed through string extraction from\r\nweb44.mp4)\r\n3. PowerShell Script Loader\r\nThe HTA file ultimately executes a PowerShell script. The executed PowerShell script is also encrypted with AES.\r\nFigure 4. AES-decrypted script\r\nThe AES-obfuscated PowerShell script downloads and executes an additional PowerShell script (web.png).\r\nhttps://asec.ahnlab.com/en/85699/\r\nPage 3 of 6\n\nFigure 5. The PowerShell script (web.png) executing LummaC2\r\n4. LummaC2\r\nThe malware that is ultimately executed is LummaC2, capable of stealing information such as browser data and\r\ncryptocurrencies.\r\nFigure 6. LummaC2 communicating with C2\r\n“hwid” is the unique identifier for the infected PC, and a number from 1 to 3 is assigned to “pid” according to the\r\ntype of information that is stolen. “lid” is presumed to be the Lumma ID and is most likely used as the distributed\r\nmalware’s campaign identifier. Detailed information about LummaC2 can be found in the blog post below.\r\nNew Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks\r\nhttps://asec.ahnlab.com/en/85699/\r\nPage 4 of 6\n\nIn addition, LummaC2 utilizes a module called ClipBanker, which monitors the clipboard and changes copied\r\ncryptocurrency wallet addresses to the threat actor’s wallet address.\r\nFigure 7. ClipBanker\r\n5. Conclusion\r\nLummaC2 distributed through fake CAPTCHA pages is mainly spread via crack program download pages or\r\nphishing emails. Users should be especially cautious when dealing with emails or websites of unclear origin.\r\nMD5\r\n3099830291f5dfb199b1f6649997fb45\r\n3734e365ab10e73a85320916ba49c3ee\r\nhttps://asec.ahnlab.com/en/85699/\r\nPage 5 of 6\n\naf46bc7df8441c09296666f0053fb000\r\ne7677ec2ca8706708bcd64b7b8e7111d\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//cc[.]klipjaqemiu[.]shop/web[.]png\r\nhttps[:]//klipjaqemiu[.]shop/web44[.]mp4\r\nhttps[:]//noisercluch[.]click/api\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/85699/\r\nhttps://asec.ahnlab.com/en/85699/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://asec.ahnlab.com/en/85699/"
	],
	"report_names": [
		"85699"
	],
	"threat_actors": [],
	"ts_created_at": 1775434301,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18ab8095af8000380d2f1bee7d6231970def2821.pdf",
		"text": "https://archive.orkl.eu/18ab8095af8000380d2f1bee7d6231970def2821.txt",
		"img": "https://archive.orkl.eu/18ab8095af8000380d2f1bee7d6231970def2821.jpg"
	}
}