FlagThis

Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”

These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.

ImgSrc: assets.infosecu

References :

• gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
• securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
• : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
• www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs

Classification:

• HashTags: #LummaStealer #RAT #Malware
• Company: HP
• Target: Users
• Product: Cloudflare
• Feature: CAPTCHA
• Malware: Lumma Stealer
• Type: Malware
• Severity: High