{
	"id": "ae219cc1-addc-4077-836d-495a8f9e35e0",
	"created_at": "2026-04-06T00:06:49.519438Z",
	"updated_at": "2026-04-10T03:21:26.470151Z",
	"deleted_at": null,
	"sha1_hash": "a3a1caac2bf0902dbb73955ccfef9b91dc9e51f4",
	"title": "Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4988525,
	"plain_text": "Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake\r\nCAPTCHA\r\nBy Vishwajeet Kumar\r\nPublished: 2024-10-21 · Archived: 2026-04-05 14:08:48 UTC\r\nSummary\r\nLumma Stealer is an information-stealing malware available through a Malware-as-a-Service (MaaS). It specializes in\r\nstealing sensitive data such as passwords, browser information, and cryptocurrency wallet details. The attacker has advanced\r\nits tactics, moving from traditional phishing to fake CAPTCHA verification, exploiting legitimate software to deliver\r\nLumma Stealer. These deceptive delivery methods make Lumma Stealer a persistent threat.\r\nFig 1: Lumma Stealer Execution Chain\r\nThreat actors frequently create phishing sites hosted on various providers, often leveraging Content Delivery Networks\r\n(CDNs). These sites either utilize exploits or trick users into achieving payload execution. The Qualys Threat Research Unit\r\n(TRU) has been monitoring an active Lumma Stealer campaign. Recently, we came across the use of fake CAPTCHA pages\r\nto trick users into executing the payload. It uses muti-stage fileless techniques to deliver its final payload, which makes this\r\nthreat deceptive and persistent.\r\nWe investigated the entire attack chain, from initial infection to data exfiltration. We assessed the Qualys EDR tool to\r\nshowcase how it can effectively protect against such threats. We also provided some key threat detection and hunting queries\r\nthat analysts can incorporate and add to their playbooks, which effectively protect against such threats in real time.\r\nCampaign Analysis\r\nWe speculate that users are redirected to these fake CAPTCHA sites by bad actors exploiting legit software or public-facing applications. When the user clicks the ‘I’m not a robot’ button, verification steps are presented. Completing\r\nthese steps triggers the execution of a PowerShell command that initiates the download of an initial stager (malware\r\ndownloader) on the target machine.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 1 of 10\n\nFigure 2: Captcha Click and Verification\r\nThe webpage code reveals an embedded payload, where a function called ‘verify’ contains a Base64-encoded PowerShell\r\nscript that is copied to the clipboard when the verification button is pressed.\r\nFigure 3: Clicked Response Script\r\nFigure 4: Decoded Content\r\nMshta.exe is a trusted Windows tool for running HTML applications and embedded scripts. When a URL is passed to\r\nmshta, it downloads a remote payload and places it in the INetCache directory. The downloaded file ‘2ndhsoru’ is a\r\ncrafted PE file of the Windows tool “Dialer.exe” with script in its overlay section. We dumped the overlay section\r\nand extracted the script, which is an obfuscated JavaScript code (fig:7). The payload is using an interesting technique\r\ncalled- polyglot, where valid HTA content is embedded inside other files that are directly executable by mshta. The\r\nscript’s trigger point is an eval function to execute the JavaScript code. (Figure 8).\r\nFigure 5: Overlay Section of PE\r\nFigure 6: Start of Script in Overlay Section\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 2 of 10\n\nFigure 7: JS Script in Overlay Section\r\nFigure 8: Mshta Executes the JS Script\r\nThe obfuscated JS script reveals a PowerShell script. This PowerShell script contains an AES-encrypted payload and\r\na routine to decrypt it in CBC mode using a hardcoded decryption key. The script also employs simple arithmetic\r\nobfuscation techniques. We have normalized variables and functions in the PS script, revealing how the script\r\ndownloads and executes the payload (Figure 10).\r\nFigure 9: Encrypted PS Script\r\nFigure 10: Decrypted and Normalized PS Script\r\nThe final PS script downloads ‘K1.zip’ and ‘K2.zip’ into a temporary directory, extracts the contents, and executes\r\n“Victirfree.exe” (Lumma Stealer), as shown in Figure 10 above. Below are the contents from DLLs (K1.zip) and\r\n“VectirFree.exe” (K2.zip).\r\nFigure 11: Dropped Archive files K1 and K2\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 3 of 10\n\nVectirFree.exe employed process hollowing, a common malware tactic used by malware to evade detection. It\r\ntargeted a legitimate program, “BitLockerToGo.exe,” to inject its malicious payload.\r\nFigure 12: Process Hollowing API Calls\r\nFigure 13: Vectirfree.exe doing Process Hollowing\r\nAdditionally, the BitLockerToGo drops files in the temp directory.\r\n72RC2SM21DDZ2OAH3P30V1XPT5AE7YN.exe copies “Killing.bat” and “Voyuer.pif” into the same directory.\r\nThe bat script was obfuscated, which checks for antivirus processes such as wrsa.exe (Webroot Antivirus\r\nComponent), opssvc.exe (Quick Heal Antivirus Component), and bdservicehost.exe (Bitdefender), among others,\r\nusing tasklist and findstr.\r\nFigure 14: Obfuscated code of Killing.bat\r\nFigure 15: De-obfuscated code of Killing.bat\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 4 of 10\n\nFigure 16: Injected Process Tree\r\nMalware initiates a search for sensitive files and data related to cryptocurrency and password txt files across various\r\ndirectories on the compromised system. It specifically looks for files having keywords that suggest they may hold\r\nconfidential information, such as *seed*.txt, *pass*.txt, *.kbdx, *ledger*.txt, *trezor*.txt, *metamask*.txt,\r\nbitcoin*.txt, *word*, *wallet*.txt\r\nFigure 17: Collecting Passwords and Wallets\r\nFigure 18: Collecting Browser Logs and Credentials Data\r\nLumma Stealer communicates with command and control (C2) servers to exfiltrate stolen data after infecting a\r\nsystem. It tries to connect to C2 server domains with the “.shop” top-level domain (TLD). Currently, these C2 servers\r\nare unreachable. As noted earlier, threat actors employ Content Delivery Networks (CDNs) for payload delivery and\r\nC2 servers for data exfiltration. In this case, we found the use of Cloudflare CDN, which is included in the Indicators\r\nof Compromise (IoC).\r\nFigure 19: C2 Communication\r\nHow Qualys EDR Protects\r\nPreventing the Threat\r\nThe moment PowerShell tries to execute the malicious command on an endpoint, Qualys EDR identifies and prevents the\r\nfileless malware attack during the pre-execution stage by terminating the PowerShell instance. This breaks the chain of\r\nattack at the initial stage and prevents the downloading of any further malicious payload. Early prevention is crucial in\r\nprotecting against sensitive data leakage and exfiltration.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 5 of 10\n\nFigure 20: Terminated Suspicious PowerShell Instance\r\nDetection and Hunting\r\nLumma Stealer was executed and analyzed in the Qualys Research environment, where the EDR system was set to detect\r\nonly.\r\nThe ‘AMSI’ feature in Qualys EDR allows us to view the de-obfuscated code of executed obfuscated scripts. Let’s\r\nsearch for the encoded payload executed by PowerShell. We can see that the argument contains a Base64-encoded\r\npayload, and the “Script Content” reveals the corresponding de-obfuscated details.\r\nFigure 21: Decoded Content from EDR\r\nSince we know process mshta, which is responsible for communicating to C2 server for further payload delivery. We\r\ncan filter the events and can see the downloaded file.\r\nFigure 22: Dropped Malici\r\nSince we know process mshta, which is responsible for communicating to C2 server for further payload delivery. We\r\ncan filter the events and can see the downloaded file.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 6 of 10\n\nFigure 23: Dropped Malicious File\r\nIf we explore that event in the process tree, mshta.exe executes the PS script payload after downloading from the C2.\r\nFigure 24: Dropped Archive Detected as Lumma\r\nFigure 25: Process Tree of Dropped Files\r\nBy filtering the event with “parent.name:Voyuer.pif“, we see that Voyuer.pif (Autoit.exe) drops “QuantumLink.scr”\r\nand “a” (copy of c.a3x).\r\nFigure 26: Operation Performed by Voyuer.pif\r\nHere are the Qualys Hunting queries that will allow you to investigate the threat.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 7 of 10\n\nDescription Query\r\nPowerShell executes embedded\r\ncode\r\nprocess.name:”powershell.exe” and process.arguments: [“-e”, “-ec”,\r\n“-enc”, “-enco”, “encodedCommand”]\r\nPE File created by process\r\n(mshta)\r\nprocess.parentname: mshta.exe and action: created and file.type: PE\r\nFile created by PowerShell, and\r\nit is detected by EPP\r\nparent.name:”powershell.exe” and type: file and event.scoresource:\r\n“Anti-malware”\r\nObfuscation technique\r\nperformed by PowerShell\r\nmitre.attack.technique.id: T1027 and process.name:powershell.exe\r\nConclusion\r\nThe investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware’s ability to adapt\r\nand evade detection. It employs a variety of tactics, from leveraging legitimate software to utilizing deceptive delivery\r\nmethods, making it a persistent challenge for security teams. Our analysis of its infection chain highlighted how the fileless\r\nmalware exploits common tools like PowerShell and mshta.exe, as well as the critical role of embedded payloads and\r\nprocess injection in its operations.\r\nQualys EDR demonstrates value in detecting and responding to such threats. As you can see, early prevention (Figure 27)\r\ncan stop this attack chain and its potential impact on an organization.\r\nFigure 27: Threat Chain from EDR\r\nMITRE ATT\u0026CK Techniques\r\nOperation Techniques\r\nFake captcha verification T1566: Phishing\r\nExecuted the initial PS code\r\nT1204: User Execution\r\nT1059.001: Command and Scripting\r\nInterpreter: PowerShell\r\nDownload the payload using mshta, which\r\nhad overlayed script\r\nT1218.005: System Binary Proxy Execution: Mshta\r\nT1027.009: Obfuscated Files or Information: Embedded\r\nPayloads\r\nExecuted the encrypted payload using\r\npowershell.exe\r\nT1059.001: Command and Scripting\r\nInterpreter: PowerShell\r\nT1027.013: Obfuscated Files or\r\nInformation: Encrypted/Encoded File\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 8 of 10\n\nOperation Techniques\r\nPowerShell downloaded Lumma Stealer\r\nand executed\r\nT1059.001: Command and Scripting\r\nInterpreter: PowerShell\r\nLumma Injected malicious payload in\r\nBitLockerToGo\r\nT1055.012: Process Injection: Process Hollowing\r\nInformation collection\r\nT1217: Browser Information Discovery T1083: File and\r\nDirectory Discovery\r\nInjected process executed killing.bat script\r\nT1059.003: Command and Scripting Interpreter: Windows\r\nCommand Shell\r\nBatch script discover the process and start\r\nautoit\r\nT1057: Process Discovery\r\nAutoit executes the script T1059.010: Command and Scripting Interpreter: AutoIT\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nIOCs\r\nDomain\r\nC2 Domain\r\nfutureddospzmvq[.]shop\r\nwriterospzm[.]shop\r\nmennyudosirso[.]shop\r\ndeallerospfosu[.]shop\r\nquialitsuzoxm[.]shop\r\ncomplaintsipzzx[.]shop\r\nbassizcellskz[.]shop\r\nlanguagedscie[.]shop\r\ncelebratioopz[.]shop\r\nFiles\r\nFile Name Type Hash (SHA256)\r\n2ndhsoru PE32 7d6ee310f1cd4512d140c94a95f0db4e76a7171c6a65f5c483e7f8a08\r\nK1.zip Zip ca5c90bb87d4cb3e008cf85c2af5ef8b198546586b6b3c50cd00d3e02\r\nK2.zip Zip 7fbbbfb9a886e43756b705317d3dff3bc0b1698007512d4c42d9df9c9\r\nWMSPDMOD.DLL DLL 44fe887d10886aa8bbe8232fee270c21992aba9db959f58ebaea348af\r\nWMSPDMOE.DLL DLL 2e56b42cf272f55cb3c8ed67245babb70b995d5b86863017fc846a68\r\nWmsStatusTab.Resources.dll DLL 92f31b07a70b98bd4f9e24e94acf10f7ac83cb2b642ca41c8bde147c9\r\nWMVCORE.DLL DLL 04beac6c1d6023442f94eebe4cdcec11bc47e0a89ec38ba2eb0584d74\r\nWMVDECOD.DLL DLL 1cb6b6b1f0889771b740a22f119688e427be00de41e5a9440b2a8594\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 9 of 10\n\nFile Name Type Hash (SHA256)\r\nWMVENCOD.DLL DLL 3f4d33bc3402326c72db9ff484cccb929df458ca44b389ce1c505a3f2\r\nVectirFree.exe PE64 7514d84ca507562a346896ff48a57d1d475f3cfed16e5e6abefd33a97\r\nInjected Payload PE32 867a63971c9e09e9f941d839d7ed328a4cdfea2fe985488e7d96bc0b3\r\n72RC2SM21DDZ2OAH3P30V1XPT5AE7YN.exe PE64 08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc1\r\nVoyuer.pif (AutoIt.exe) PE32 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa08233\r\nKilling.bat (Obfuscated) BAT 432a473f21a57610df93773a79ae94365d6c2b6aa1555123bfdd658a\r\nIP\r\nIP Usage Type\r\n172.67.209.145 Cloudflare CDN\r\n104.21.77.155 Cloudflare CDN\r\nContributors\r\nAlisha Kadam, Senior Threat Research Engineer, Threat Research, Qualys\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\r\nPage 10 of 10\n\nFiles File Name Type Hash (SHA256)\n2ndhsoru PE32 7d6ee310f1cd4512d140c94a95f0db4e76a7171c6a65f5c483e7f8a08\nK1.zip Zip ca5c90bb87d4cb3e008cf85c2af5ef8b198546586b6b3c50cd00d3e02\nK2.zip Zip 7fbbbfb9a886e43756b705317d3dff3bc0b1698007512d4c42d9df9c9\nWMSPDMOD.DLL DLL 44fe887d10886aa8bbe8232fee270c21992aba9db959f58ebaea348af\nWMSPDMOE.DLL DLL 2e56b42cf272f55cb3c8ed67245babb70b995d5b86863017fc846a68\nWmsStatusTab.Resources.dll DLL 92f31b07a70b98bd4f9e24e94acf10f7ac83cb2b642ca41c8bde147c9\nWMVCORE.DLL DLL 04beac6c1d6023442f94eebe4cdcec11bc47e0a89ec38ba2eb0584d74\nWMVDECOD.DLL DLL 1cb6b6b1f0889771b740a22f119688e427be00de41e5a9440b2a8594\n Page 9 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha"
	],
	"report_names": [
		"unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3a1caac2bf0902dbb73955ccfef9b91dc9e51f4.pdf",
		"text": "https://archive.orkl.eu/a3a1caac2bf0902dbb73955ccfef9b91dc9e51f4.txt",
		"img": "https://archive.orkl.eu/a3a1caac2bf0902dbb73955ccfef9b91dc9e51f4.jpg"
	}
}