Bad actors are using fake Captcha prompts to distribute fileless Lumma Stealer malware, according to research from cybersecurity firm DNSFilter.
First detected on a Greek banking website, the prompt requests that Windows users copy and paste it into the Run dialog box, and then to press Enter.
DNSFilter reports that the firm’s clients interacted with the fake Captcha 23 times over the course of three days, and that 17% of the people who encountered the prompt completed its on-screen steps, resulting in the attempted delivery of malware.
What is Lumma Stealer?
DNSFilter’s Global Partner Evangelist, Mikey Pruitt, explained that Lumma Stealer is a form of malware that searches an infected device for credentials and other sensitive data.
“Lumma Stealer immediately sweeps the system for anything it can monetize—browser-stored passwords and cookies, saved 2FA tokens, cryptocurrency wallet data, remote-access credentials, and even password-manager vaults,” he told Decrypt.
Pruitt clarified that the bad actors use lifted data for a variety of purposes that all usually boil down to monetary gain, such as ID theft and accessing “online accounts for financial theft or fraudulent transactions,” as well as gaining access to cryptocurrency wallets.
Lumma Stealer has a wide reach, according to Pruitt, and can be found on a wide variety of websites.
“While we can’t speak to how much might have been lost through this one avenue, this threat can exist on non-malicious sites,” he explained. “This makes it incredibly dangerous and important to be aware of when things seem suspicious.”
Malware-as-a-Service
Lumma Stealer is not only malware, but an example of Malware-as-a-Service (MaaS), which security firms have reported is responsible for a rise in malware attacks in recent years.
According to ESET malware analyst Jakub Tomanek, the operators behind Lumma Stealer develop its features, refine its ability to evade malware detection, while also registering domains to host the malware.
He told Decrypt, “Their primary goal is to keep the service operational and profitable, collecting monthly subscription fees from affiliates—effectively running Lumma Stealer as a sustainable cybercriminal business.”
Because it spares cybercriminals the need to develop malware and any underlying infrastructure, MaaS such as Lumma Stealer has proven stubbornly popular.
In May, the U.S. Department of Justice seized five internet domains that bad actors were using to operate Lumma Stealer malware, while Microsoft privately took down 2,300 similar domains.
Yet reports have revealed that Lumma Stealer has reemerged since May, with a July analysis from Trend Micro showing that “the number of targeted accounts steadily returned to their usual levels” between June and July.
Malware’s global reach
Part of the appeal of Lumma Stealer is that subscriptions, which are often monthly, are inexpensive relative to the potential gains to be made.
“Available on dark web forums for as little as $250, this sophisticated information stealer specifically targets what matters most to cybercriminals – cryptocurrency wallets, browser-stored credentials, and two-factor authentication systems,” said Nathaniel Jones, the VP of Security & AI Strategy at Darktrace.
Jones told Decrypt that the scale of Lumma Stealer exploits has been “alarming,” with 2023 witnessing estimated losses of $36.5 million, as well as 400,000 Windows devices infected in the space of two months.
“But the real concern isn’t just the numbers – it’s the multi-layered monetisation strategy,” he said. “Lumma doesn’t just steal data, it systematically harvests browser histories, system information, and even AnyDesk configuration files before exfiltrating everything to Russian-controlled command centres.”
Heightening the threat of Lumma Stealer is the fact that stolen data is often fed directly into “traffer teams,” which specialize in the theft and resale of credentials.
“This creates a devastating cascade effect where a single infection can lead to bank account hijacking, cryptocurrency theft, and identity fraud that persists long after the initial breach,” added Jones.
While Darktrace suggested a Russian origin or center for Lumma-related exploits, DNSFilter noted that the bad actors making use of the malware service could be operating from multiple territories.
“It is common for such malicious activities to involve individuals or groups from multiple countries,” Pruitt said, adding that this is especially prevalent “with the use of international hosting providers and malware distribution platforms.”