According to a survey by cybersecurity company DNSFilter, bad actors use fake Captcha prompts to distribute fireless Lumma Stealer malware.
This prompt, first detected on the Greek banking website, will ask the Windows user to copy and paste into the Run dialog box and then press Enter.
DNSFilter reports that company clients interacted with fake Captcha 23 times in three days, with 17% of those who encountered the prompt completing the on-screen step and attempting to deliver the malware.
plot twist: “I’m not a robot” clicks may be the most dangerous thing today.
The security team at DNSFilter caught bad actors using fake Captchas to remove fireless malware like Lumma Stealer. One click, and they’re in it
The wild part?
🖱️17% of users who saw it…– dnsfilter (@dnsfilter) August 14, 2025
What is Lumma Stealer?
Mikey Pruitt, global partner evangelist at DNSFilter, described Lumma Stealer as a type of malware that searches infected devices for credentials and other sensitive data.
“Lumma Stealer sweeps the system as something that can instantly monetize the system. It stored the passwords and cookies stored by the browser, 2FA tokens, cryptocurrency wallet data, remote access credentials, and even the password manager vault,” he said. Decryption.
Pruitt revealed that bad actors use LIFT data for a variety of purposes. This is usually summarised into financial benefits, such as accessing identity theft, “online accounts for financial theft or fraudulent transactions” and gaining access to cryptocurrency. wallet.
According to Pruitt, Lumma Stealer is a wide range and can be found on a variety of websites.
“We can’t talk about how much we’ve lost through this one measure, but this threat can exist on non-malicious sites,” he explained. “This makes it extremely dangerous and important to be aware of when things seem suspicious.”
Malware as a Service
Lumma Stealer is not only malware, but also an example of the malware As-a-Service (MAAS) reported by security companies, and is responsible for the increase in malware attacks in recent years.
According to ESET malware analyst Jakub Tomanek, the operator behind Lumma Stealer develops features, improves its ability to avoid malware detection, and registers domains that host malware.
He said Decryption“Their main goal is to operate the services to maintain profitability and collect monthly subscription fees from affiliates. This effectively operates Lumma Stealer as a sustainable cybercrime business.”
MAAs such as Lumma Stealer are stubbornly popular as cybercriminals are spared the need to develop malware and underlying infrastructure.
In May, the US Department of Justice seized five internet domains that bad actors use to operate Lumma Stealer Malware, and Microsoft personally deleted 2,300 similar domains.
However, reports show that Lumma Stealer has reappeared since May, and a July analysis of Trend Micro shows that “the number of target accounts has steadily returned to normal levels.”
Malware Global Reach
Part of the appeal of Lumma Stealer is that subscriptions, which are often monthly, are cheaper than potential profits.
“Available on the Dark Web Forum for just $250, this sophisticated information steeler specifically targets what’s most important to Cyber Criminal – cryptocurrency wallets, browser storage credentials, and two-factor authentication system.”
Jones said Decryption The size of Lumma Stealer Exploits is “surprising” and witnessed an estimated loss of $36.5 million and 400,000 Windows devices infected in 2023 in two months.
“But the real concern isn’t just numbers, it’s a multi-tier monetization strategy,” he said. “Lumma not only steals data, but also harvests browser history, system information, and even any desk configuration file before removing browser history, system information, and everything to the Russian Control Command Center.”
The increased threat to Lumma Stealer is the fact that stolen data is often directly fed to “traffic teams” specializing in theft and resale of qualifications.
“This creates a devastating cascade effect where a single infection leads to bank account hijacking, cryptocurrency theft and identity fraud that continues after an initial violation,” Jones adds.
Darktrace proposed a centre for Russian origin or Lumma-related exploits, but Dnsfilter pointed out that bad actors using malware services may be run from multiple regions.
“This malicious activity is common involving individuals and groups from multiple countries,” Pruitt said, adding that this is particularly common in the use of international hosting providers and malware distribution platforms.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
