Organizations should implement robust endpoint protection solutions and user awareness training to mitigate the risk posed by this increasingly prevalent threat, as even corporate environments have fallen victim to Lumma Stealer infections that may serve as entry points for more devastating attacks like ransomware. A sophisticated malware campaign is utilizing fake CAPTCHA verification pages to distribute Lumma Stealer, an advanced information-stealing malware that has gained significant traction in underground markets since its 2022 debut. Victims typically encounter these fake verification pages through two primary channels: cloned pirated media websites with injected malicious advertisements, and fraudulent Telegram channels masquerading as cryptocurrency or pirated content communities. The infection chain includes obfuscated code executed through Microsoft’s HTML Application engine (mshta.exe), which ultimately downloads and executes the Lumma payload. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This command downloads a Base64-encoded PowerShell script that initiates the Lumma Stealer infection chain. Upon execution, the malware downloads a ZIP file, typically to %AppData%\Roaming\, extracts its contents to a hidden folder, and establishes persistence by creating a registry entry under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. The malware also performs anti-analysis checks, scanning for security products like Avast, AVG, McAfee, and Bitdefender before deploying its payload. The sinister mechanism activates when users click this button, which covertly copies a malicious PowerShell command to their clipboard.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Apr 2025 13:20:14 +0000