Fake CAPTCHA Attacks: New Entry Point for Emerge LummaStealer

A notorious information-stealing malware, LummaStealer, has launched a significant comeback following a major law enforcement disruption in 2025.

This resurgence is characterized by a shift in distribution tactics, moving away from traditional exploit kits towards aggressive social engineering campaigns.

Cybercriminals are now leveraging “ClickFix” techniques, which present users with fake CAPTCHA verification pages.

These deceptive prompts trick victims into unwittingly executing malicious commands on their systems, effectively bypassing standard security warnings and protocols.

The malware’s delivery infrastructure has also evolved, becoming more resilient and harder to detect. Instead of relying solely on direct downloads, the new campaigns utilize a sophisticated loader known as CastleLoader.

This intermediate stage is designed to evade antivirus detection by executing malicious code directly in the computer’s memory.

By avoiding the creation of files on the hard drive during its initial phase, the attack minimizes the digital footprint left behind, complicating forensic analysis and mitigation efforts.

Bitdefender analysts identified this renewed activity and highlighted the critical role CastleLoader plays in the infection chain.

Their research indicates that the loader is not just a delivery vehicle but a complex tool equipped with extensive obfuscation and anti-analysis features.

The malware targets Windows systems to harvest sensitive data, including browser credentials, session cookies, cryptocurrency wallets, and two-factor authentication tokens.

This stolen information is then exploited globally for account takeovers, financial fraud, and identity theft.

Technical Analysis of CastleLoader

CastleLoader serves as the stealthy bridge between the initial infection and the deployment of the LummaStealer payload.

The loader is delivered as a compiled AutoIt script, a legitimate automation tool abused by attackers to mask their code.

Upon execution, the script employs heavy obfuscation to hide its true purpose, replacing variable names with random words and inserting “dead code”. This makes it difficult for automated security tools to analyze the file’s intent.

Before retrieving the final payload, CastleLoader performs a series of environment checks to ensure it is running on a real victim’s machine rather than a security researcher’s isolated sandbox.

It inspects the system for specific computer names or usernames often used in test environments.

If it detects virtualization software like VMware or VirtualBox, it terminates its process to avoid exposure.

A unique characteristic of this loader is its generation of a failed DNS lookup for a nonexistent domain, creating a distinct “artifact” that defenders can use to identify the infection.

Once the environment is deemed safe, the malware establishes persistence by copying itself to the local application data folder and creating a startup shortcut, ensuring it runs automatically.

To stay safe, users should be wary of web pages asking for manual verification steps like copying and pasting code. Avoiding pirated software and keeping security solutions updated remains the most effective defense against these evolving threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.