Dissecting Lumma Malware: Analyzing the Fake CAPTCHA and Obfuscation Techniques – Part 2

This technical analysis dissects the Lumma Stealer infection chain starting from a fake CAPTCHA page: an mshta-delivered HTA/PE contains embedded obfuscated JavaScript that decodes layered payloads (including AES-encrypted PowerShell), downloads a malicious ZIP masquerading as legitimate software, and ultimately executes Lumma via process injection into BitLockerToGo. The report documents decoding steps, tooling used (CyberChef, DIE, Ghidra, Hollows Hunter), dynamic behavior, and provides IOCs—SHA256 hashes, malicious URLs, and multiple C2 domains—for detection and response.