Beware of Fake CAPTCHA Prompts That May Silently Install LummaStealer on Your Device

The attack specifically targets users of booking websites by presenting fake booking confirmation pages that require CAPTCHA verification to view document details. The Infection Chain Flow shows how the attack progresses from the initial visit to a fake booking page through to the final malware installation. The malware samples observed in this campaign are notably larger than previous versions (increasing from 3MB to 9MB), using binary padding techniques to evade detection by exceeding size limitations in security tools. Cybersecurity researchers at G DATA have uncovered a sophisticated malware campaign using fake CAPTCHA prompts to deliver LummaStealer, a dangerous information-stealing malware. The infection begins when victims visit malicious URLs such as “hxxps://payment-confirmation.82736[.]store/pgg46” which redirects to a fake booking confirmation page. Before allowing access to the supposed booking details, the page presents a fake CAPTCHA verification that employs a sophisticated social engineering technique known as ClickFix. Researchers note that the LummaStealer samples employ Indirect Control Flow obfuscation techniques, making analysis more difficult by dynamically calculating target addresses at runtime rather than using direct jumps or calls. When examining the page source, security researchers discovered an obfuscated JavaScript that loads a command from a PHP script hosted on another URL. The global scope of this attack appears to be expanding, with G DATA noting that initial campaigns targeted travel to Palawan, Philippines, before shifting to hotels in Munich, Germany, suggesting the threat actors are likely pursuing victims worldwide. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Unlike legitimate CAPTCHAs that typically require selecting images, this malicious version instructs users to open their Windows Run command and paste a command that has been automatically copied to their clipboard. Maintaining updated security software remains essential, as this LummaStealer campaign continues to evolve with new techniques to bypass detection. Security experts recommend exercising extreme caution when visiting booking confirmation links, especially those received through unexpected emails. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Advanced threat actors increasingly leverage x86-64 binaries and Apple’s Rosetta 2 translation technology to bypass execution policies and deploy malware on Apple Silicon devices. This encoded command initiates a web request to download a secondary PowerShell script that fetches and executes the actual LummaStealer payload. The page displays a blurred document appearing to be from legitimate services like booking.com or hrs.com, creating a convincing illusion. What makes this attack particularly deceptive is the implementation of HTTPS in the URL, which many users associate with security, potentially lowering their guard against such threats. The infection begins with a PowerShell command that, once executed via the Windows Run dialog, contacts the attacker’s server and downloads additional payloads. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The script uses ROT13 encryption to hide its true purpose, which is copying a Base64-encoded PowerShell command to the victim’s clipboard. This emerging threat, first discovered in January 2025, represents a new approach for LummaStealer distribution which previously spread primarily through channels like GitHub or Telegram. Never execute commands from websites claiming to be CAPTCHA verifications, as legitimate CAPTCHAs never require running system commands.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 07 Mar 2025 14:00:12 +0000


Cyber News related to Beware of Fake CAPTCHA Prompts That May Silently Install LummaStealer on Your Device

Beware of Fake CAPTCHA Prompts That May Silently Install LummaStealer on Your Device - The attack specifically targets users of booking websites by presenting fake booking confirmation pages that require CAPTCHA verification to view document details. The Infection Chain Flow shows how the attack progresses from the initial visit to a ...
2 months ago Cybersecuritynews.com
Unraveling CAPTCHA: A Comprehensive Insight Into Its History, Applications, and Efficiency - History of CAPTCHA. The inception of CAPTCHA dates back to the late 1990s when researchers at Carnegie Mellon University led by Luis von Ahn, Manuel Blum, and others, sought a solution to prevent automated bots from infiltrating online platforms. In ...
1 year ago Feeds.dzone.com Inception
Sophisticated Attack Via Booking Websites Installs LummaStealer Malware - Security researchers expect LummaStealer attacks to continue increasing in the coming months as attackers refine their social engineering techniques to exploit travelers seeking online booking services. The campaign, discovered in early 2025, tricks ...
2 months ago Cybersecuritynews.com
Unlocking CAPTCHAs: Moving Beyond Deterrence to Detection - In the digital realm, CAPTCHA has long been viewed as a necessary annoyance, a tool employed to thwart automated bots and ensure that real human users can successfully interact with websites. A paradigm shift is underway in how we perceive CAPTCHA. ...
1 year ago Securityboulevard.com
iClicker hack targeted students with malware via fake CAPTCHA - The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. According to a security alert from the ...
2 weeks ago Bleepingcomputer.com
LummaStealer Abuses Windows Utility to Execute Remote Code Mimic as .mp4 File - Cybereason security researchers identified a new and concerning infection vector where LummaStealer abuses the legitimate mshta.exe Windows utility to execute remote hosted code that masquerades as an .mp4 multimedia file. The initial JavaScript ...
1 month ago Cybersecuritynews.com
Beware of Fake LastPass App that Steal Personal Information - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Cybersecuritynews.com
SEC X Account Hacked, Tweets Fake News About Bitcoin ETFs - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Fake Lockdown Mode Exposes iOS Users to Malware Attacks - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Interpol Busts Human Traffickers Luring Victims with Fake Online Job Ads - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor Access - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
2 years ago Trendmicro.com
Is it possible to use an external SSD to speed up your Mac - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
7 months ago Aws.amazon.com
US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Hackread.com
Lee County student Chromebooks hacked in 'Cyber Monday prank' - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Nbc-2.com
Google to Delete Inactive Gmail Accounts From Today - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Particle Network's Intent-Centric Approach Aims to Simplify and Secure Web3 - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Stellar Cyber Bridges Cybersecurity Skills Gap with First-of-Its-Kind University Program - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard APT - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Q3 2023 Cyber Attacks Statistics - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackmageddon.com
Cryptocurrency losses reach $1.75 Billion in 2023; CeFi and Hacks Blamed - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Flashpoint Uncovers 100,000+ Hidden Vulnerabilities, Including Zero-Days - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com