{
	"id": "a89ef79e-9cf7-471a-81b3-a33b359b19ee",
	"created_at": "2026-04-06T00:09:44.074934Z",
	"updated_at": "2026-04-10T03:23:51.048635Z",
	"deleted_at": null,
	"sha1_hash": "d37a362e571635c573d2daefbfdc9566d4db783a",
	"title": "Lumma/Amadey: fake CAPTCHAs want to know if you’re human",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1944239,
	"plain_text": "Lumma/Amadey: fake CAPTCHAs want to know if you’re human\r\nBy Vasily Kolesnikov\r\nPublished: 2024-10-29 · Archived: 2026-04-05 21:32:13 UTC\r\nAttackers are increasingly distributing malware through a rather unusual method: a fake CAPTCHA as the initial\r\ninfection vector. Researchers from various companies reported this campaign in August and September. The\r\nattackers, primarily targeting gamers, initially delivered the Lumma stealer to victims through websites hosting\r\ncracked games.\r\nOur recent research into the adware landscape revealed that this malicious CAPTCHA is spreading through a\r\nvariety of online resources that have nothing to do with games: adult sites, file-sharing services, betting platforms,\r\nanime resources, and web apps monetizing through traffic. This indicates an expansion of the distribution network\r\nto reach a broader victim pool. Moreover, we discovered that the CAPTCHA delivers not only Lumma but also\r\nthe Amadey Trojan.\r\nTo avoid falling for the attackers’ tricks, it’s important to understand how they and their distribution network\r\noperate. The ad network pushing pages with the malicious CAPTCHA also includes legitimate, non-malicious\r\noffers. It functions as follows: clicking anywhere on a page using the ad module redirects the user to other\r\nresources. Most redirects lead to websites promoting security software, ad blockers, and the like – standard\r\npractice for adware. However, in some cases, the victim lands on a page with the malicious CAPTCHA.\r\nExamples of sites redirecting the user to a CAPTCHA\r\nUnlike genuine CAPTCHAs designed to protect websites from bots, this imitation serves to promote shady\r\nresources. As with the previous stage, the victim doesn’t always encounter malware. For example, the CAPTCHA\r\non one of the pages prompts the visitor to scan a QR code leading to a betting site:\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 1 of 8\n\nCAPTCHA with QR code\r\nThe Trojans are distributed through CAPTCHAs with instructions. Clicking the “I’m not a robot” button copies\r\nthe line powershell.exe -eC bQBzAGgAdABhA\u003c…\u003eMAIgA= to the clipboard and displays so-called\r\n“verification steps”:\r\nPress Win + R (this opens the Run dialog box);\r\nPress CTRL + V (this pastes the line from the clipboard into the text field);\r\nPress Enter (this executes the code).\r\nCAPTCHA with instructions\r\nWe’ve also come across similar instructions in formats other than CAPTCHAs. For instance, the screenshot below\r\nshows an error message for a failed page load, styled like a Chrome message. The attackers attribute the problem\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 2 of 8\n\nto a “browser update error” and instruct the user to click the “Copy fix” button. Although the page design is\r\ndifferent, the infection scenario is identical to the CAPTCHA scheme.\r\nFake update error message\r\nThe line from the clipboard contains a Base64-encoded PowerShell command that accesses the URL specified\r\nthere and executes the page’s content. Inside this content is an obfuscated PowerShell script that ultimately\r\ndownloads the malicious payload.\r\nPayload: Lumma stealer\r\nInitially, the malicious PowerShell script downloaded and executed an archive with the Lumma stealer. In the\r\nscreenshot below, the stealer file is named 0Setup.exe:\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 3 of 8\n\nContents of the malicious archive\r\nAfter launching, 0Setup.exe runs the legitimate BitLockerToGo.exe utility, normally responsible for encrypting\r\nand viewing the contents of removable drives using BitLocker. This utility allows viewing, copying, and writing\r\nfiles, as well as modifying registry branches – functionality that the stealer exploits.\r\nArmed with BitLocker To Go, the attackers manipulate the registry, primarily to create the branches and keys that\r\nthe Trojan needs to operate:\r\nThat done, Lumma, again using the utility, searches the victim’s device for files associated with various\r\ncryptocurrency wallets and steals them:\r\nThen, the attackers view browser extensions related to wallets and cryptocurrencies and steal data from them:\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 4 of 8\n\nFollowing this, the Trojan attempts to steal cookies and other credentials stored in various browsers:\r\nFinally, the malware searches for password manager archives to steal their contents as well:\r\nThroughout the data collection process, the Trojan tries to use the same BitLocker To Go to send the stolen data to\r\nthe attackers’ server:\r\nOnce the malware has found and exfiltrated all valuable data, it starts visiting the pages of various online stores.\r\nThe purpose here is likely to generate further revenue for its operators by boosting views of these websites, similar\r\nto adware:\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 5 of 8\n\nPayload: Amadey Trojan\r\nWe recently discovered that the same campaign is now spreading the Amadey Trojan as well. Known since 2018,\r\nAmadey has been the subject of numerous security reports. In brief, the Trojan downloads several modules for\r\nstealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. It also detects\r\ncrypto wallet addresses in the clipboard and substitutes them with those controlled by the attackers. One of the\r\nmodules can also take screenshots. In some scenarios, Amadey downloads the Remcos remote access tool to the\r\nvictim’s device, giving the attackers full access to it.\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 6 of 8\n\nSnippet of Amadey code used in this campaign\r\nStatistics\r\nFrom September 22 to October 14, 2024, over 140,000 users encountered ad scripts. Kaspersky’s telemetry data\r\nshows that out of these 140,000, over 20,000 users were redirected to infected sites, where some of them saw a\r\nfake update notification or a fake CAPTCHA. Users in Brazil, Spain, Italy, and Russia were most frequently\r\naffected.\r\nConclusion\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 7 of 8\n\nCybercriminals often infiltrate ad networks that are open to all comers. They purchase advertising slots that\r\nredirect users to malicious resources, employing various tricks to achieve infections. The above campaign is of\r\ninterest because (a) it leverages trust in CAPTCHA to get users to perform unsafe actions, and (b) one of the\r\nstealers makes use of the legitimate BitLocker To Go utility. The malware works to enrich its operators both by\r\nstealing victims’ credentials and crypto wallets, and by exploiting online stores that pay money for traffic to their\r\nwebsites.\r\nIndicators of compromise\r\ne3274bc41f121b918ebb66e2f0cbfe29\r\n525abe8da7ca32f163d93268c509a4c5\r\nee2ff2c8f49ca29fe18e8d18b76d4108\r\n824581f9f267165b7561388925f69d3a\r\nSource: https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nhttps://securelist.com/fake-captcha-delivers-lumma-amadey/114312/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/"
	],
	"report_names": [
		"114312"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434184,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d37a362e571635c573d2daefbfdc9566d4db783a.pdf",
		"text": "https://archive.orkl.eu/d37a362e571635c573d2daefbfdc9566d4db783a.txt",
		"img": "https://archive.orkl.eu/d37a362e571635c573d2daefbfdc9566d4db783a.jpg"
	}
}