tl;dr
Bad actors have exploited fake Captcha prompts to distribute the fileless Lumma Stealer malware, which targets Windows users by tricking them into running malicious commands. Lumma Stealer collects sensitive data such as browser passwords, cookies, two-factor authentication tokens, cryptocurrency wa...
Bad actors have been exploiting fake Captcha prompts to distribute the fileless Lumma Stealer malware, according to cybersecurity firm DNSFilter. This deceptive prompt first appeared on a Greek banking website, urging Windows users to copy and paste the command into the Run dialog box and hit Enter. Across three days, DNSFilter documented 23 client interactions with this fake prompt, with 17% of users following through the on-screen instructions, triggering malware delivery attempts.
Lumma Stealer is a sophisticated malware designed to scour infected devices for valuable credentials and sensitive data. DNSFilter’s Mikey Pruitt highlights that the malware targets browser-stored passwords, cookies, saved two-factor authentication tokens, cryptocurrency wallets, remote-access credentials, and password-manager vaults. The stolen data primarily facilitates monetary crimes such as identity theft, unauthorized financial transactions, and crypto wallet breaches. Lumma Stealer’s presence across various legitimate websites increases its danger, as unsuspecting users may encounter it in non-malicious contexts.
This malware operates under a Malware-as-a-Service (MaaS) model, where its creators continuously refine it, evade detection, and manage domains for hosting. ESET analyst Jakub Tomanek explains that the operators monetize Lumma Stealer by charging monthly subscription fees to affiliates, running it like a cybercriminal enterprise. Despite law enforcement actions in May, including domain seizures by the U.S. Department of Justice and Microsoft’s takedown of thousands of domains, Lumma Stealer has resurfaced, with its targeted accounts rebounding to typical levels by July.
Lumma Stealer’s broad appeal stems from its affordability and significant rewards. Available on dark web forums for around $250 per month, it specifically zeroes in on prized cybercriminal targets like cryptocurrency wallets and two-factor authentication systems. Nathaniel Jones of Darktrace reports alarming statistics for 2023: losses totaling $36.5 million and over 400,000 Windows devices infected within just two months. The malware does more than steal data—it collects browser histories, system details, and remote-access configurations, funneling everything to command centers controlled from Russia.
The threat escalates as stolen data feeds “traffer teams,” specialized groups that steal and resell credentials, causing a ripple effect of bank account takeovers, identity fraud, and cryptocurrency theft extending long beyond the initial attack. While Darktrace ties Lumma’s activities to Russian-linked operations, DNSFilter emphasizes the likelihood of international involvement, noting that perpetrators often span multiple countries through the use of global hosting and malware distribution networks.