Fake CAPTCHAs spread Lumma Stealer malware via PowerShell

Attackers are taking advantage of people's familiarity with CAPTCHAs to spread a type of malware called Lumma Stealer. HP recently reported a rise in malicious campaigns where people are tricked into running harmful commands on their computers. In these campaigns, users visit fake websites controlled by the attackers. They are asked to complete various CAPTCHA-like challenges, which lead them to execute a PowerShell command. This command installs the Lumma Stealer remote access trojan on their devices. Dr. Ian Pratt from HP said that as multi-step authentication becomes more common, users are more willing to click through several steps to verify their identity. This growing “click tolerance” highlights weaknesses in current cyber awareness training, he noted. HP's report also found that 11% of email threats managed to bypass security filters. Executable files were the most common method used to deliver malware, followed by compressed archive files. HP identified a second campaign where attackers spread another RAT named XenoRAT. This malware can capture audio and video from users' devices. Attackers use social engineering to make users enable macros in documents, allowing them greater control over their devices. Additionally, attackers are using SVG image files to spread malicious JavaScript, which can evade traditional security measures. These images automatically render in web browsers, triggering code that can deploy various types of malware. The report included data collected from HP Wolf Security customers between October and December 2024. The findings emphasize how cyber threats are evolving, urging organizations to improve their defenses to stay ahead of attackers.