Lumma Stealer Malware Being Spread to Windows Devices via Fake Human Verification Pages, CloudSEK Says

These fake human verification pages instruct users to run hidden commands to enable the downloading of the malware.

Advertisement
Written by Akash Dutta, Edited by Siddharth Suvarna | Updated: 19 September 2024 17:13 IST
Highlights
  • Content Delivery Networks (CDNs) are being used to trick users
  • Lumma Stealer is an information-stealing malware
  • Researchers have found many phishing websites distributing the malware
Lumma Stealer Malware Being Spread to Windows Devices via Fake Human Verification Pages, CloudSEK Says

So far Lumma Stealer is the only malware known to be using this method

Photo Credit: Pexels/Sora Shimazaki

Lumma Stealer, a recently identified information-stealing malware, is being distributed to users via fake human verification pages. According to researchers at the cybersecurity firm CloudSEK, the malware is targeting Windows devices and is designed to steal sensitive information from the infected device. Concerningly, researchers have discovered multiple phishing websites which are deploying these fake verification pages to trick users into downloading the malware. CloudSEK researchers have warned organisations to implement endpoint protection solutions and to train employees and users about this new social engineering tactic.

Lumma Stealer Malware Being Distributed Using New Phishing Technique

According to the CloudSEK report, multiple active websites were found to be spreading the Lumma Stealer malware. The technique was first discovered by Unit42 at Palo Alto Networks, a cybersecurity firm, but the scope of the distribution chain is now believed to be much larger than previously assumed.

The attackers have set up various malicious websites and have added a fake human verification system, resembling the Google Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) page. However, unlike the regular CAPTCHA page where users have to check a few boxes or perform similar pattern-based tasks to prove they are not a bot, the fake pages instruct the user to run some unusual commands.

In one instance, the researchers spotted a fake verification page asking users to execute a PowerShell script. PowerShell scripts contain a series of commands that can be executed in the Run dialog box. In this case, the commands were found to fetch the content from the a.txt file hosted on a remote server. This prompted a file to be downloaded and extracted on the Windows system, infecting it with Lumma Stealer.

Advertisement

The report also listed the malicious URLs which were spotted distributing the malware to unsuspecting users. However, this is not the full list and there might be more such websites carrying out the attack.

  • hxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
  • hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html
  • hxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html
  • hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
  • hxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html
  • hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
  • hxxps[://]newvideozones[.]click/veri[.]html
  • hxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html
  • hxxps[://]newvideozones[.]click/veri[.]html
  • hxxps[://]ofsetvideofre[.]click

The researchers also observed that content delivery networks (CDNs) were being used to spread these fake verification pages. Further, the attackers were spotted using base64 encoding and clipboard manipulation to evade demonstration. It is also possible to distribute other malware using the same technique, although such instances have not been seen so far.

Advertisement

Since the modus operandi of the attack is based on phishing techniques, no security patch can prevent devices from getting infected. However, there are some steps users and organisations can take to safeguard against the Lumma stealer malware.

As per the report, users and employees should be made aware of this phishing tactic to help them not fall for it. Additionally, organisations should implement and maintain reliable endpoint protection solutions to detect and block PowerShell-based attacks. Further, regularly updating and patching systems to reduce the vulnerabilities that Lumma Stealer malware can exploit should also help.

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement
Popular Mobile Brands
  1. Realme GT 7 Series: Launch Date, Expected Price in India and More
  2. Lava Bold N1, Lava Bold N1 Pro India Pricing, Specifications Teased
  3. Vivo X200 FE Reportedly Listed on BIS, IMDA Websites Ahead of Launch
  4. Vijay Sales Apple Days Sale Brings Discounts on These iPhone, Mac Models
  5. iQOO Neo 10: From Display, Camera to Battery, Eveything We Know About It
  6. Noise Buds F1 With Up to 50-Hour Playback Time Debuts at This Price Tag
  7. Honor Pad 10 With Snapdragon 7 Gen 3 SoC, 10,100mAh Battery Launched
  1. Xiaomi Surpasses Apple to Lead Wearables Market in Q1 2025 With 19 Percent Market Share: Canalys
  2. Vivo X200 FE Reportedly Listed on BIS, IMDA Certification Websites Ahead of Anticipated Launch in India
  3. Oracle Said to Buy $40 Billion of Nvidia Chips for OpenAI's US Data Center
  4. Trump Threatens 25 Percent Tariffs on Apple If iPhones Not Made in US
  5. iPhone 16 Pro Max, iPhone 15, MacBook Air (M4) and More Get Discounts During Vijay Sales Apple Days Sale
  6. Anthropic CEO Dario Amodei Says AI Models Hallucinate Less Than Humans: Report
  7. UK Government Updates Crypto Reporting Guidelines, Mandates Collection of Crypto Transaction Data
  8. Acer Swift Neo WIth Intel Core Ultra 5, Up to 32GB RAM Launched in India: Price, Specifications
  9. Elden Ring Film Adaptation in the Works at A24 With Alex Garland Set to Direct
  10. Noise Buds F1 TWS Earbuds With IPX5 Rating, Up to 50-Hour Total Playback Time Launched in India
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.