Malvertisements, Fake Captchas and Infostealers
By Varist Cyber Security
Archived: 2026-04-05 15:53:38 UTC
An Active Campaign
We recently came across a campaign that installs an infostealer called Lumma.
It's quite active, with the campaign being observed as early as August last
year. It often hides in free streaming and software download websites as
malware advertisements. Some links also appear on popular social media
platforms.
Guardio Labs
has a detailed write-up about the malvertising aspect of this campaign. This
article will cover the different payloads this campaign uses after the Fake
Captcha.
Figure 1.0 Hybrid Analyzer detection of the Infostealer Payload
FakeCaptcha Triggered
There were several samples that we gathered during November to January. And as
mentioned, most of them came from links that were shared from social media
platforms. When an unsuspecting user tries to download free media or software,
they are bombarded with ads and one of this ad is a Malvertisement which will
eventually lead to the fake CAPTCHA before reaching the actual download link.
The user is instructed to use the "CTRL-V" key, which is the copy paste
shortcut key, to execute a PowerShell script via the Run dialog box
(Windows+R) as a "Verification Steps".
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 1 of 10

Figure 2.0 A webpage which instructs the user to run the script
Infection Chains - Post FakeCaptcha
Sample Set 1
When we first got a sample from this campaign back in November, the payload
from the copy pasted run command is quite simple. It will run a PowerShell
script to download another file prize.txt.
prize.txt
The downloaded "prize.txt" is another PowerShell script that will download the
PE executable which is the infostealer payload.
Sample Set 2
After a few days, they updated the PowerShell script and encoded the string
using base64 to hide another PowerShell script.
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 2 of 10

This script when decoded is responsible for downloading another file.
GqHQWNMv.txt
The downloaded "GqHQWNMv.txt" is another PowerShell script. It is similar to
"prize.txt" in Sample Set 1 but this time, instead of downloading the PE
executable payload, it is now included in the code. The PE executable is now
base64 encoded($rFbgJhKI) within the script.
Sample Set 3
It now uses mshta.exe, which is categorized as a living-off-the-land
binary, to run a remote HTA file. The HTA file contains embedded scripts that
execute to move to the next stage of the payload.
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 3 of 10

s7.mp4
The file appears to be an HTA file disguised with an MP4 extension. It's
packed with junk code, inflating the file size to about 706KB, even though the
malicious code is only a few lines long. The next stage of the payload is at
the start of the file, located between positions 27 and 9399. It extracts
every two characters and skips the third. Each pair of characters represents a
hex value, which is then converted to its ASCII equivalent. The decoded string
is executed using eval().
Below is the decoded string that will be executed using eval(). As we
can see, it is still encoded. The encoded string is an array of numbers. Each
number is subtracted by 759 and then converted to its ASCII equivalent
character. The output is concatenated to form the decoded string. The next
stage, where the decoded string is stored in the variable LFjuo, is
executed using the WScript.Shell.Run method.
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 4 of 10

Still under the s7.mp4, the decoded string is a PowerShell command line with
an encoded script. When the strings are decoded, it reveals that it will
download another payload s7.bin.
s7.bin
The s7.bin file is quite large, over 9MB. For this file, we'll focus on
the large data in $dsAHg78dAS. This data is fed into a decryption
function called fdsjnh. It converts $dsAHg78dAS into a string
and concatenates it. Then, it's base64 decoded and decrypted using XOR.
Finally, the converted string is executed using Scriptblock.
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 5 of 10

The first part, not shown in the code below, is the
Amsi-Bypass-Powershell
code . It
modifies CLR.DLL in memory
to bypass AMSI. What is left for us to check is the contents of $a,
which we can assume is a .NET assembly. Dumping the content will reveal the PE
executable payload.
The third sample of the infection reveals that they employed numerous layers
of obfuscation and encryption techniques. These threat actors also utilized
several different files in the process before ultimately executing the PE
executable payload.
Infostealer Payload
Since the third sample of infection is the most common in our campaign
monitoring, we will use its payload to discuss the Infostealer payload.
Initial stage
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 6 of 10

Instead of running the Assembly code in the final script, we can modify and
use it to extract the Infostealer Payload for further analysis. Now that we
have the PE executable payload, we can examine some details about the file.
According to Detect It Easy, the file is protected by Smart Assembly.
Figure 3.0 Detect It Easy information on the Infostealer initial stage
There are many ways to analyze this .NET file, but for this example, we can
use DNSpy to understand what it does. Below is some metadata produced by the
tool. We can confirm the version of Smart Assembly used and the filename,
which is "Ocolwhfse.exe".
Figure 3.1 DNSpy information on the Infostealer initial stage
It loads a module named Wivgvpcp.dll, which is the second-stage
payload. This module was encrypted using the RC2 cipher with a Base64 encoded
key: "0wOxVYRD3wATV3MwWq5gbA==" and an IV: "6r/PacCkWiY=" that
will be decoded at runtime. It will be executed via InvokeMethod with
"l3v52Pkjv" as the parameter.
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 7 of 10

Figure 3.2 Show the code that will try to load the module
Wivgvpcp.dll
2nd stage
As for the module file, it is protected by .NET reactor. We can use different
tools such as de4dot to try and remove some of its protection.
Figure 4.0 Detect It Easy information on the Infostealer 2nd stage
Continuing our analysis with DNSpy, we found a code that appears to decrypt
another file. The file is encrypted using AES, with a base64-encoded key:
ykArXXWpRAnkDsyaF3S1iYVT5/z9w3bJdSj5FI+XNCA= and an IV:
lONCjOrG+Ob6r6IKiYgYuQ==. These will be decoded during runtime.
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 8 of 10

Figure 4.1 Shows the code that will decrypt the final stage of the payload
Final Stage Payload - Lumma Infostealer
The decrypted file is the final payload and is a copy of the Lumma
Infostealer. It uses base64 encoding and XOR to decrypt the domain
configuration. Each domain entry consists of an XOR key and an encrypted
domain string. Once decoded, the first 32 bytes are the XOR key, and the
remaining bytes are the encrypted domain.
magnifudizy[.]cyou
littlenotii[.]biz
grandiouseziu[.]biz
fraggielek[.]biz
nuttyshopr[.]biz
spookycappy[.]biz
marketlumpe[.]biz
truculengisau[.]biz
punishzement[.]biz
Indicators of Compromise
Hash Description Varist Detection
45ba7edf16b56e5a25cf4ba630881b50abf93cab440752ac70ee69ccace8d2b1 prize.txt PSH/Downldr.CR
d3e0e401f5c55b3e9ea0b1c276b3bf2aca21f620013307361c41d5e1d5e2ba7c prize.zip W32/Dropper.BJVU
1512fd62b84ebbb1620c4446d616f1333c564c18154089ead89e065c43313ac5
Infostealer
Payload
W32/Lumma.B
d354bd95269c424918c411ef8e7c8dd2323ef7422cc1099959ac2a56b81494b3 Fake Captcha HTML/FakeCha.A
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 9 of 10

Hash Description Varist Detection
f8278fe32a0916f85bd703aa8975d4e559466ee96a188f68bd2a2816fdbb18a8 GqHQWNMv.txt PSH/Dropper.E
b9068030cedbf08f1149951ad6afdde5025383e3d27e212eec23f363dde51
Infostealer
Payload
W32/Shellcoderunner.A
54e5e13f536bcf11e6e5dd676bc42bcb9888344609bcaff19f78e0bf0e869bc5 Fake Captcha HTML/FakeCha.A
f8eebdc2f4e317694a7a8a25312f3f6b0c76dd26707d23a123cc202216beabdc s7.mp4 JS/Agent.CTL!Eldorado
97bf1b333cc37d639b76b861c9a89c86ee5eb7a36a32610c933ba35c2a6dc871 s7.bin PSH/Agent.SO
3febdc4aeae8dc999c500c567b7af4ae3502ed5ccc830d604c1f3f3006131ba6
Infostealer
Payload
W32/Lumma.C
b4668c8aea80800f518cb231ec22932d67b3b0cd75687bd7a2d8ae8d1e41634b Wivgvpcp.dll W32/MSIL_Agent.JCI.gen!Eld
f7f5ac812f22722da577fd2017b12747ea6e9cd9600e24a56b5c242bc8aecb77
Infostealer
Payload
W32/Stealer.HJ.gen!Eldorado
Source: https://www.varist.com/blogs-news/malvertisements-fake-captchas
https://www.varist.com/blogs-news/malvertisements-fake-captchas
Page 10 of 10

 https://www.varist.com/blogs-news/malvertisements-fake-captchas  
Figure 3.2 Show the code that will try to load the module
Wivgvpcp.dll   
2nd stage   
As for the module file, it is protected by .NET reactor. We can use different
tools such as de4dot to try and remove some of its protection. 
Figure 4.0 Detect It Easy information on the Infostealer 2nd stage
Continuing our analysis with DNSpy, we found a code that appears to decrypt
another file. The file is encrypted using AES, with a base64-encoded key:
ykArXXWpRAnkDsyaF3S1iYVT5/z9w3bJdSj5FI+XNCA=   and an IV:
lONCjOrG+Ob6r6IKiYgYuQ==. These will be decoded during runtime.
   Page 8 of 10