Does the New Infostealer CAPTCHA Infection Actually Work?

In case you missed it, hackers have been utilizing a new technique to infect victims with Infostealers, it is done by setting a fake Captcha page that prompts the victim to paste a powershell command into their Windows Run which causes a Lumma Infostealer infection.

But does it actually work?

In reality, it works too well actually.

Hudson Rock has spotted thousands of computers that were infected using this method just this month, here is a real scenario from a victim’s computer showing how it went down:

Browsing history of a Lumma Infostealer victim that was infected using the new Captcha technique

Infection Timeline:

1. Search for a YouTube video downloader:

The user searched for “youtube video downloader” at 06:54:46 and clicked on a link from the search results.

2. Visit to a suspicious site:

They landed on SaveFrom.net, a well-known video downloading website, but were quickly redirected to suspicious sites with “Verify You Are Human” prompts at 06:54:53.


3. Fake CAPTCHA scam:

The “Verify You Are Human” page showed a fake CAPTCHA, asking the user to copy and paste a PowerShell command into their computer.



4. Infection by Lumma:

When the user followed the instructions and ran the PowerShell command, they unknowingly installed Lumma malware on their system.

5. You’re F***ed, but at least Hudson Rock has your back:

Hackers have stolen all of your data, including credentials, cookies, browsing history, documents, etc. You will become the target of many kinds of account takeover attempts, fraud, and if you have corporate credentials they will be used to carry out cyberattacks against your employer.

An example of a computer that was infected by Lumma Infostealer showing the credentials that were stolen from the victim


Luckily, Hudson Rock is collecting this data too and every day we alert thousands of companies about stolen credentials belonging to their employees & users.

6. Next steps for you reading this:

Even if you personally weren’t infected and you wouldn’t paste a powershell command because a captcha told you to, you can probably think of someone who works with you who you’re thinking “oh wow they’ll fall for it for sure”.

If that’s the case you can feel free to ask us for an ethical disclosure about Infostealer infections in your organization after searching your domain using our Infostealer intelligence tools – www.hudsonrock.com/are-you-compromised
Thanks for reading, share this to raise awareness about this ongoing campaign.

To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo

We also provide access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools

Thanks for reading, Rock Hudson Rock!

Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock

Follow us on Twitter: https://www.twitter.com/RockHudsonRock

Don’t Stop Here

More To Explore

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise