{
	"id": "dcfdf616-f595-4e15-b800-b1024a731070",
	"created_at": "2026-04-06T00:12:09.975691Z",
	"updated_at": "2026-04-10T03:23:52.183591Z",
	"deleted_at": null,
	"sha1_hash": "6a6ce05b0bb774238bfc7d49fbb106072ce64b01",
	"title": "Malvertisements, Fake Captchas and Infostealers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1092153,
	"plain_text": "Malvertisements, Fake Captchas and Infostealers\r\nBy Varist Cyber Security\r\nArchived: 2026-04-05 15:53:38 UTC\r\nAn Active Campaign\r\nWe recently came across a campaign that installs an infostealer called Lumma.\r\nIt's quite active, with the campaign being observed as early as August last\r\nyear. It often hides in free streaming and software download websites as\r\nmalware advertisements. Some links also appear on popular social media\r\nplatforms.\r\nGuardio Labs\r\nhas a detailed write-up about the malvertising aspect of this campaign. This\r\narticle will cover the different payloads this campaign uses after the Fake\r\nCaptcha.\r\nFigure 1.0 Hybrid Analyzer detection of the Infostealer Payload\r\nFakeCaptcha Triggered\r\nThere were several samples that we gathered during November to January. And as\r\nmentioned, most of them came from links that were shared from social media\r\nplatforms. When an unsuspecting user tries to download free media or software,\r\nthey are bombarded with ads and one of this ad is a Malvertisement which will\r\neventually lead to the fake CAPTCHA before reaching the actual download link.\r\nThe user is instructed to use the \"CTRL-V\" key, which is the copy paste\r\nshortcut key, to execute a PowerShell script via the Run dialog box\r\n(Windows+R) as a \"Verification Steps\".\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 1 of 10\n\nFigure 2.0 A webpage which instructs the user to run the script\r\nInfection Chains - Post FakeCaptcha\r\nSample Set 1\r\nWhen we first got a sample from this campaign back in November, the payload\r\nfrom the copy pasted run command is quite simple. It will run a PowerShell\r\nscript to download another file prize.txt.\r\nprize.txt\r\nThe downloaded \"prize.txt\" is another PowerShell script that will download the\r\nPE executable which is the infostealer payload.\r\nSample Set 2\r\nAfter a few days, they updated the PowerShell script and encoded the string\r\nusing base64 to hide another PowerShell script.\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 2 of 10\n\nThis script when decoded is responsible for downloading another file.\r\nGqHQWNMv.txt\r\nThe downloaded \"GqHQWNMv.txt\" is another PowerShell script. It is similar to\r\n\"prize.txt\" in Sample Set 1 but this time, instead of downloading the PE\r\nexecutable payload, it is now included in the code. The PE executable is now\r\nbase64 encoded($rFbgJhKI) within the script.\r\nSample Set 3\r\nIt now uses mshta.exe, which is categorized as a living-off-the-land\r\nbinary, to run a remote HTA file. The HTA file contains embedded scripts that\r\nexecute to move to the next stage of the payload.\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 3 of 10\n\ns7.mp4\r\nThe file appears to be an HTA file disguised with an MP4 extension. It's\r\npacked with junk code, inflating the file size to about 706KB, even though the\r\nmalicious code is only a few lines long. The next stage of the payload is at\r\nthe start of the file, located between positions 27 and 9399. It extracts\r\nevery two characters and skips the third. Each pair of characters represents a\r\nhex value, which is then converted to its ASCII equivalent. The decoded string\r\nis executed using eval().\r\nBelow is the decoded string that will be executed using eval(). As we\r\ncan see, it is still encoded. The encoded string is an array of numbers. Each\r\nnumber is subtracted by 759 and then converted to its ASCII equivalent\r\ncharacter. The output is concatenated to form the decoded string. The next\r\nstage, where the decoded string is stored in the variable LFjuo, is\r\nexecuted using the WScript.Shell.Run method.\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 4 of 10\n\nStill under the s7.mp4, the decoded string is a PowerShell command line with\r\nan encoded script. When the strings are decoded, it reveals that it will\r\ndownload another payload s7.bin.\r\ns7.bin\r\nThe s7.bin file is quite large, over 9MB. For this file, we'll focus on\r\nthe large data in $dsAHg78dAS. This data is fed into a decryption\r\nfunction called fdsjnh. It converts $dsAHg78dAS into a string\r\nand concatenates it. Then, it's base64 decoded and decrypted using XOR.\r\nFinally, the converted string is executed using Scriptblock.\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 5 of 10\n\nThe first part, not shown in the code below, is the\r\nAmsi-Bypass-Powershell\r\ncode . It\r\nmodifies CLR.DLL in memory\r\nto bypass AMSI. What is left for us to check is the contents of $a,\r\nwhich we can assume is a .NET assembly. Dumping the content will reveal the PE\r\nexecutable payload.\r\nThe third sample of the infection reveals that they employed numerous layers\r\nof obfuscation and encryption techniques. These threat actors also utilized\r\nseveral different files in the process before ultimately executing the PE\r\nexecutable payload.\r\nInfostealer Payload\r\nSince the third sample of infection is the most common in our campaign\r\nmonitoring, we will use its payload to discuss the Infostealer payload.\r\nInitial stage\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 6 of 10\n\nInstead of running the Assembly code in the final script, we can modify and\r\nuse it to extract the Infostealer Payload for further analysis. Now that we\r\nhave the PE executable payload, we can examine some details about the file.\r\nAccording to Detect It Easy, the file is protected by Smart Assembly.\r\nFigure 3.0 Detect It Easy information on the Infostealer initial stage\r\nThere are many ways to analyze this .NET file, but for this example, we can\r\nuse DNSpy to understand what it does. Below is some metadata produced by the\r\ntool. We can confirm the version of Smart Assembly used and the filename,\r\nwhich is \"Ocolwhfse.exe\".\r\nFigure 3.1 DNSpy information on the Infostealer initial stage\r\nIt loads a module named Wivgvpcp.dll, which is the second-stage\r\npayload. This module was encrypted using the RC2 cipher with a Base64 encoded\r\nkey: \"0wOxVYRD3wATV3MwWq5gbA==\" and an IV: \"6r/PacCkWiY=\" that\r\nwill be decoded at runtime. It will be executed via InvokeMethod with\r\n\"l3v52Pkjv\" as the parameter.\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 7 of 10\n\nFigure 3.2 Show the code that will try to load the module\r\nWivgvpcp.dll\r\n2nd stage\r\nAs for the module file, it is protected by .NET reactor. We can use different\r\ntools such as de4dot to try and remove some of its protection.\r\nFigure 4.0 Detect It Easy information on the Infostealer 2nd stage\r\nContinuing our analysis with DNSpy, we found a code that appears to decrypt\r\nanother file. The file is encrypted using AES, with a base64-encoded key:\r\nykArXXWpRAnkDsyaF3S1iYVT5/z9w3bJdSj5FI+XNCA= and an IV:\r\nlONCjOrG+Ob6r6IKiYgYuQ==. These will be decoded during runtime.\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 8 of 10\n\nFigure 4.1 Shows the code that will decrypt the final stage of the payload\r\nFinal Stage Payload - Lumma Infostealer\r\nThe decrypted file is the final payload and is a copy of the Lumma\r\nInfostealer. It uses base64 encoding and XOR to decrypt the domain\r\nconfiguration. Each domain entry consists of an XOR key and an encrypted\r\ndomain string. Once decoded, the first 32 bytes are the XOR key, and the\r\nremaining bytes are the encrypted domain.\r\nmagnifudizy[.]cyou\r\nlittlenotii[.]biz\r\ngrandiouseziu[.]biz\r\nfraggielek[.]biz\r\nnuttyshopr[.]biz\r\nspookycappy[.]biz\r\nmarketlumpe[.]biz\r\ntruculengisau[.]biz\r\npunishzement[.]biz\r\nIndicators of Compromise\r\nHash Description Varist Detection\r\n45ba7edf16b56e5a25cf4ba630881b50abf93cab440752ac70ee69ccace8d2b1 prize.txt PSH/Downldr.CR\r\nd3e0e401f5c55b3e9ea0b1c276b3bf2aca21f620013307361c41d5e1d5e2ba7c prize.zip W32/Dropper.BJVU\r\n1512fd62b84ebbb1620c4446d616f1333c564c18154089ead89e065c43313ac5\r\nInfostealer\r\nPayload\r\nW32/Lumma.B\r\nd354bd95269c424918c411ef8e7c8dd2323ef7422cc1099959ac2a56b81494b3 Fake Captcha HTML/FakeCha.A\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 9 of 10\n\nHash Description Varist Detection\r\nf8278fe32a0916f85bd703aa8975d4e559466ee96a188f68bd2a2816fdbb18a8 GqHQWNMv.txt PSH/Dropper.E\r\nb9068030cedbf08f1149951ad6afdde5025383e3d27e212eec23f363dde51\r\nInfostealer\r\nPayload\r\nW32/Shellcoderunner.A\r\n54e5e13f536bcf11e6e5dd676bc42bcb9888344609bcaff19f78e0bf0e869bc5 Fake Captcha HTML/FakeCha.A\r\nf8eebdc2f4e317694a7a8a25312f3f6b0c76dd26707d23a123cc202216beabdc s7.mp4 JS/Agent.CTL!Eldorado\r\n97bf1b333cc37d639b76b861c9a89c86ee5eb7a36a32610c933ba35c2a6dc871 s7.bin PSH/Agent.SO\r\n3febdc4aeae8dc999c500c567b7af4ae3502ed5ccc830d604c1f3f3006131ba6\r\nInfostealer\r\nPayload\r\nW32/Lumma.C\r\nb4668c8aea80800f518cb231ec22932d67b3b0cd75687bd7a2d8ae8d1e41634b Wivgvpcp.dll W32/MSIL_Agent.JCI.gen!Eld\r\nf7f5ac812f22722da577fd2017b12747ea6e9cd9600e24a56b5c242bc8aecb77\r\nInfostealer\r\nPayload\r\nW32/Stealer.HJ.gen!Eldorado\r\nSource: https://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nhttps://www.varist.com/blogs-news/malvertisements-fake-captchas\r\nPage 10 of 10\n\n https://www.varist.com/blogs-news/malvertisements-fake-captchas  \nFigure 3.2 Show the code that will try to load the module\nWivgvpcp.dll   \n2nd stage   \nAs for the module file, it is protected by .NET reactor. We can use different\ntools such as de4dot to try and remove some of its protection. \nFigure 4.0 Detect It Easy information on the Infostealer 2nd stage\nContinuing our analysis with DNSpy, we found a code that appears to decrypt\nanother file. The file is encrypted using AES, with a base64-encoded key:\nykArXXWpRAnkDsyaF3S1iYVT5/z9w3bJdSj5FI+XNCA=   and an IV:\nlONCjOrG+Ob6r6IKiYgYuQ==. These will be decoded during runtime.\n   Page 8 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.varist.com/blogs-news/malvertisements-fake-captchas"
	],
	"report_names": [
		"malvertisements-fake-captchas"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434329,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a6ce05b0bb774238bfc7d49fbb106072ce64b01.pdf",
		"text": "https://archive.orkl.eu/6a6ce05b0bb774238bfc7d49fbb106072ce64b01.txt",
		"img": "https://archive.orkl.eu/6a6ce05b0bb774238bfc7d49fbb106072ce64b01.jpg"
	}
}