Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault

This report documents an active, modular fileless malware campaign that compromises hundreds of legitimate websites to serve fake CAPTCHA pages which use clipboard hijacking and social engineering to get victims to run PowerShell commands; the in-memory chain (Donut shellcode and staged loaders) delivers rotating commodity stealers (Lumma, Vidar, Aura, Rhadamanthys) and a cryptocurrency clipboard hijacker, with infrastructure links to a large cluster of fake crypto-exchange sites and indicators suggesting a Russian-nexus actor.