{
	"id": "eb426cb8-2f7c-429b-839e-986d3df4db80",
	"created_at": "2026-04-06T00:19:48.430136Z",
	"updated_at": "2026-04-10T03:21:08.524326Z",
	"deleted_at": null,
	"sha1_hash": "a9797ebea255a9543b1419f31c13d64868f61756",
	"title": "Lumma Stealer - A tale that starts with a fake Captcha - Vital Digital Forensics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9554165,
	"plain_text": "Lumma Stealer - A tale that starts with a fake Captcha - Vital\r\nDigital Forensics\r\nBy admin\r\nPublished: 2025-03-14 · Archived: 2026-04-05 13:19:32 UTC\r\nV4ensics has observed multiple malware campaigns, which start with a fake Captcha page. The victim visits this\r\npage either by visiting a spear-phishing link or just, as seen recently in multiple occasions, through\r\na seemingly benigh advertisement / popup in a site, which hosts pirated content (movies and tv series). \r\nIn the fake Captcha page, which the present article analyzes, v4ensics was called to investigate the case of a user,\r\nwho visited a popular site, which hosted pirated movies and tv series. The user was bombarded with multiple\r\npopups, presenting him with seemingly benign advertisements. One of these advertisements constituted the first\r\nstage of a Lumma Stealer campaign, which by, inadvertently to the user, going through multiple stages, started\r\nwith the simple advertisement and could end up with the victim being infected by one of the most notorious\r\ninfostealers in the wild, Lumma Stealer, unless something went wrong in the process (e.g. a security solution\r\nblocked one of the campaign stages making it in this way impossible for the final campaign payload to be\r\nexecuted). While visiting the \"original\" site (in the examined case site with the pirated content) the victim is\r\ndirected to another page (hxxps://gubanompostra[.]fly[.]storage[.]tigris[.]dev/emogaping-gotten-into-gubano.html), which consists of a fake captcha verification box. The page asks the intended victim to perform\r\nspecific actions, which end up with the victim running a malicious command through a Windows OS run.exe\r\nprompt, so that the victim is verified as Human.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 1 of 23\n\nThe command, which is initially copied to the victim's clipboard is a Powershell command that uses Windows\r\nCommon Information Model (CIM) to spawn a malicious mshta.exe process. The latter is used to parse and\r\nexecute the code of an .hta file (Windows HTML Application) located at hxxps[://]iankaxo[.]xyz/mikona-guba[.]m4a.\r\nThe file mikona-guba.mp4, which is in fact a malicious .hta file, is highly obfuscated. The file begins with an\r\nalphanumeric string, followed by seemingly “junk” bytes. A part of the alphanumeric string is displayed in the\r\nfirst of the following two images, while the second one, a portion of which is depicted in the second image,\r\ncontains seemingly “junk” bytes.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 2 of 23\n\nAnalyzing the seemingly \"junk\" bytes, a couple \u003cscript\u003e tags were identified. Some of them contained invalid\r\ncode (see below).\r\nHowever, 4 of these \u003cscript\u003e tags were correctly structured and when combined, they provide the algorithm for\r\ndecrypting the next stage payload.\r\nThe code depicted above, takes the html code of the page from indices 27 to 29295 (which correspond to the\r\ncharacters of the alphanumeric string mentioned above and depicted partially in image 3), applies a regular\r\nexpression (/(..)./g) to the obtained characters , and then returns the string from the hexadecimal numbers that\r\nmatched the regular expression. The returned string is again an obfuscated Javascript code snippet.\r\nThis time a function (fitWP) takes as argument an array of decimal numbers and is used to decrypt the next stage\r\nby subtracting the number 814 from each number. The two variables, which get \"decrypted\" in this way, are\r\nnamed YqIKx and RUYP.\r\nRUYP decrypts to \"WScript.Shell\" and is used to create an ActiveXObject that will execute the decrypted payload\r\nresiding in YqlKx. This payload is an obfuscated powershell command.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 3 of 23\n\nImage 8: Contents of the obfuscated Powershell command\r\nThe powershell command performs AES-CBC-128 decryption. The key for decryption is obtained by converting\r\nthe hexadecimal string \"747174685470416C6C4C4D6E52767748\" into the ascii string \"tqthTpAllLMnRvwH\".\r\nThe IV corresponds to sixteen null bytes. The decrypted payload is depicted below.\r\nThe decrypted payload is Powershell code, which creates a WebClient object and uses the function\r\nDownloadString with the url hxxps[://]mapped01[.]sportsspot-moviebuffs[.]com/gubaa01[.]png to download the\r\nnext stage of the malicious campaign. After downloading the file gubaa01.png, the command \"Invoke-Expression\"\r\nis used to execute the payload.\r\nThe gubaa01.png file is of course not an image file, but actually an obfuscated powershell script. The script\r\nconsists of (a) an initial part of obfuscated powershell code with its main purpose being the construction of an\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 4 of 23\n\nXOR-key and the deactivation of AMSI communication and (b) a second part which converts a byte array to a\r\nbase64 string, decodes it and uses the generated XOR-key to decrypt the next stage.\r\nThe first part of the script consists of thousands of lines.\r\nThe function responsible for decrypting the next stage is depicted below.\r\nThe xor key is stored in the variable $kWWdZHmACOtYIyNpcRcHGQOmyvOGTxFgFyNnpNvaDrmPwvPH.\r\nBefore the key obtains its value, the malicious powershell disables the AMSI communication with the\r\nantimalware product running on the PC by setting the amsiInitFailed variable to $true, a technique explained in an\r\narticle by Mdsec.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 5 of 23\n\nThe payload used to that end is (post performed deobfuscation) is depicted below.\r\nSubsequently, in order to verify that the AMSI bypass executed successfully (AMSI communication was\r\ndisabled), function System.Management.Automation.AmsiUtils.ScanContent is used on payload \"Invoke-Mimikatz\". \"Invoke-Mimikatz\" usually triggers the signatures of antimalware products resulting in detection of\r\nmalicious content. The expected by the malicious payload return value is AMSI_RESULT_NOT_DETECTED ,\r\nwhich denotes that AMSI has been successfully bypassed. This value is passed to the variable-key$kWWdZHmACOtYIyNpcRcHGQOmyvOGTxFgFyNnpNvaDrmPwvPH to be used for XOR-ing the payload\r\nof the next stage.\r\nThe full code, which is used to obtain the key (post performed deobfuscation), is depicted below.\r\nFinally, with the last part of code contained in the powershell script, the next stage is executed.\r\nThis command corresponds, post deobfuscation, to the command depicted below.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 6 of 23\n\nIf the AMSI bypass result is not the expected one, then the next stage will not be decrypted correctly and the\r\nmalware pipeline will crash.\r\nThe next stage uses an AMSI bypass script, by patching CLR.dll, a technique explained in a relevant article.\r\nThe AMSI bypass script is the same as the one found in a public Github repository.\r\nFollowing the AMSI Bypass payload, the malware to be loaded is assigned to a variable in base64 encoding. This\r\nmalware is a dotnet dropper which is decoded and then invoked.\r\nUpon loading the dropper into iLSpy, two things can be observed:\r\n1. The name of the assembly is Stddetwi\r\n2. The executable is obfuscated by the software SmartAssembly (version 8.2.0.5183)\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 7 of 23\n\nA less obfuscated version of the assembly can be obtained by using the deobfuscator/unpacker de4dot. After\r\nexamining the decompiled code, a single function stands out.\r\nThe actions performed at this stage, are downloading a file from the internet and then decrypting it using AES-CBC-256. The key, IV and URL are obtained through the resources of the assembly. The process of loading the\r\nresources however is still obfuscated by SmartAssembly.\r\nAs the decompilation was not very enlightening in finding the required values , the original assembly was loaded\r\ninto a hex editor. Searching for strings, lead to the discovery of some interesting base64 encoded values.\r\nThe strings (at least the printable ones), decode to the values listed in the table below.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 8 of 23\n\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 9 of 23\n\nAmong the strings, 3 in particular stand out.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 10 of 23\n\nThe dropper accesses a mediafire link to download the main malware and decrypts it via the aes key and iv listed\r\nin the table above.\r\nThe decrypted malware constitutes once more a dotnet assembly, packed with .NET Reactor (as deemed by\r\nDetect-it-Easy).\r\nAn overview of the executable is provided in the following image, taken directly from iLSpy.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 11 of 23\n\nThe malware contains some encrypted executables in its resources, that are decrypted on runtime. It uses more\r\nsophisticated techniques than the previous stages.\r\nUsing .NET Reactor slayer a more readable version of the malware can be obtained. The following screenshot is\r\ntaken directly from DnSpy, which was opted for at this point, due to the fact that it supports dynamic analysis and\r\ndebugging of the executable (assembly).\r\nReverse engineering the partially deobfuscated program, allowed a greater understanding of its functionalities.\r\nThe executable contains the main payloads and configurations in its resources in encrypted form.\r\nIt uses multiple methods to decrypt and load the resources. These include the use of Costura library,\r\nAssemblyResolve and ResourceResolve callbacks.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 12 of 23\n\nThe first resource, namely \"BgL59yXUnWjxEyq3ut.MCbJbP2lE2ALpeSgJi\" is decrypted into the assembly\r\n\"0b273fb4-1d7e-4bfa-b8d2-dabc722e4286\".\r\nAfterwards, the resource \"uAcug\" of the obtained assembly is decrypted into the executable \"pcElkpeiJJPd”\r\n(whose assembly name is “res”).\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 13 of 23\n\nThe latter, contains a resource called \"KLKx\" which is decrypted and provides some strings used by the .NET\r\nexecutable. These strings include entries related to:\r\n· Anti-sandbox techniques, like cuckoomon.dll, VMware|VIRTUAL|A M I|Xen, select * from\r\nWin32_ComputerSystem, select * from Win32_BIOS%;, SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion,\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run, which could possibly be used by the malware to fingerprint\r\nthe machine it is running on in order to detect a possible sandbox environment.\r\n· Anti debugging techniques, like CheckRemoteDebuggerPresent, which corresponds to a function related to\r\ndebugger detection.\r\n· AMSI tampering, like AmApdxiasiApdxiaScaApdxianBuApdxiaffeApdxiar,\r\naApdxiamsApdxiai.dApdxiallApdxia, which are obfuscated by inclusion of the string “Apdxia” in some positions.\r\nWhen this string is removed, the strings are deobdfuscated into AmsiScanBuffer and amsi.dll respectively, which\r\ncould possibly be used in amsi disabling procedures.\r\n· Windows Defender bypass, like Add-MpPreference -ExclusionProcess, which is used to exclude files opened by\r\na process from scanning via Windows Defender.\r\n· Wscript.Shell object, like CreateObject(\"WScript.Shell\").Run, which is used for running an application or\r\ncommand.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 14 of 23\n\n· Tampering with the IP address of the system, like /c ipconfig /release, /c ipconfig /renew¸which are used to\r\nrelease and renew the IP address of the system respectively.\r\nThe strings decrypted are listed in the table below.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 15 of 23\n\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 16 of 23\n\nTwo base64 strings that could possibly correspond to key and iv of AES algorithm are also present in the previous\r\ntable.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 17 of 23\n\nUpon decryption, the first 4 bytes of the decrypted stream are dropped and the remaining ones become GZip\r\nDecompressed. The decompressed payload is identified as a PE x86 executable which is in fact the actual Lumma\r\nStealer C2 binary.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 18 of 23\n\nIn order to discover which domains the LummaC2 executable gets in contact with, the binary was loaded into\r\nx64dbg.\r\nThe Lumma Stealer build is not crypted as evident from the warning message displayed:\r\nThe analyzed version of Lumma stealer utilizes ws_32.dll and winhttp.dll in order to communicate with the URLs\r\nlisted in the table below.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 19 of 23\n\nThe domains listed in the previous image were obtained via a software breakpoint that was placed in the\r\nbeginning of the function WinHttpConnect of winhttp.dll, in order to intercept LummaC2 connection attempts.\r\nFive additional URLs were found by performing a ROT15 decryption operation on the current and previous\r\nusernames of the steamcommunity account accessed by LummaC2 via URL\r\nhxxps[://]steamcommunity[.]com/profiles/76561199822375128.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 20 of 23\n\nThe obtained URLs are depicted in the image below.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 21 of 23\n\nIOCs\r\nA list of files dropped and websites/domains accessed by the the analyzed lumma stealer campaign is provided in\r\nthe following two tables.\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 22 of 23\n\nSource: https://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nhttps://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/\r\nPage 23 of 23\n\n  https://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/    \nUpon decryption, the first 4 bytes of the decrypted stream are dropped and the remaining ones become GZip\nDecompressed. The decompressed payload is identified as a PE x86 executable which is in fact the actual Lumma\nStealer C2 binary.      \n   Page 18 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://v4ensics.gr/lumma-stealer-a-tale-that-starts-with-a-fake-captcha/"
	],
	"report_names": [
		"lumma-stealer-a-tale-that-starts-with-a-fake-captcha"
	],
	"threat_actors": [],
	"ts_created_at": 1775434788,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9797ebea255a9543b1419f31c13d64868f61756.pdf",
		"text": "https://archive.orkl.eu/a9797ebea255a9543b1419f31c13d64868f61756.txt",
		"img": "https://archive.orkl.eu/a9797ebea255a9543b1419f31c13d64868f61756.jpg"
	}
}