Cloudsek researchers found more details on a new, clever way hackers are spreading the Lumma Stealer malware. They’re targeting Windows users with fake human verification pages. Palo Alto Networks’ Unit 42 first reported these fake pages, pointing out how they’re being used to spread malware.

"These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware," Unit 42 threat hunter Paul Michaud II explained.

The latest investigation by Cloudsek uncovers more active malicious sites spreading the Lumma Stealer. Researchers explained that when you click the "I’m not a robot" button on the fake verification page, a PowerShell script is copied to your clipboard. If you paste this command into the Run dialog box, it triggers PowerShell in a hidden window and runs a Base64-encoded command.

This command retrieves more instructions from a text file on a remote server, which then downloads the Lumma Stealer malware. If the downloaded file, named "dengo.zip," is unzipped and run on a Windows computer, the Lumma Stealer becomes active, connecting to attacker-controlled domains. The researchers also mentioned that the malware delivered through this page can be easily switched out for other malicious.

files.https://www.foxnews.com/tech/windows-users-being-tricked-sneaky-malware-scheme