Booking a Threat: Inside LummaStealer’s Fake reCAPTCHA
In February 2025, G DATA Malware Analysts observed and closely monitored the occurrence of a threat campaign employing ClickFix, an emerging social engineering technique that manipulates users into executing malicious commands under the guise of resolving a system error or verification. It evades traditional signature-based detections by requiring human interaction, complicating automatic scanning procedures [1]. Since its emergence in 2024, ClickFix has been adopted in multiple malicious campaigns as an initial vector for delivering malicious payloads. Through our internal sourcing, we found out that there are numerous malware families such as VidarStealer, XWormRAT and DonutLoader were actively using ClickFix as their primary vector.
The campaign we investigated leveraged a malware distribution site disguised as booking confirmation pages from well-known travel platforms, which directed users through fake CAPTCHA processes to initiate the ClickFix mechanism. Further analysis confirmed that the final payload delivered through this method was LummaStealer, a widely distributed information-stealing malware commonly sold under the Malware-as-a-Service (MaaS) model.
The research revealed targeted victims in various countries, including the Philippines and Germany. During the investigation, we uncovered two booking itinerary documents showing information details modeled after legitimate platforms such as Booking.com and HR.com. Initially, these documents were addressed to a hotel in the Philippines but were later modified to reference a hotel in Germany, suggesting a potential shift in target or an attempt to evade detection by altering geographical indicators. Unknown to the target victim, malicious scripts are executed that invoke commands to external sources, which ultimately download LummaStealer samples. We also observed how the downloaded LummaStealer samples evolved, from downloading the payload directly to employing advanced obfuscation methods such as Binary Padding and Indirect Control Flow to further evade detection.
This research further explores the unique infection process by which the LummaStealer samples reach the victim’s system, as well as other related telemetry observed during this sophisticated campaign. Notably, the samples gathered during the investigation were unique as they cannot be sourced from any public threat sourcing sites.
Arvin Lauren Tan: G DATA AV Lab Inc.
Arvin Lauren Tan is a cybersecurity professional with over 7 years of experience in the industry, specializing in threat research, analysis, and product detection. Throughout his career, he has developed deep expertise in reverse engineering, malware analysis, and threat hunting, protecting individuals and organizations against emerging cyber threats. Outside of work, Arvin maintains an active lifestyle through jogging and biking. He also enjoys both casual and competitive computer gaming as a way to relax, sharpen his strategic thinking, and stay connected to the tech community.
John Rey Dador: G DATA AV Lab Inc.
John Rey Dador is an aspiring cybersecurity professional with a strong interest in malware analysis, threat intelligence, and ethical hacking. Although he has only three years of experience in the field, he actively builds his skills through self-study and hands-on practice, always seeking ways to improve and grow. This is his first time attending AVAR or any conference but he is excited and motivated to participate in more as he continues to strengthen his cybersecurity skills. Despite working in tech, he has always dreamed of becoming a professional athlete. He enjoys all physical sports, especially boxing and MMA. More than greatness or glory, what motivates him more is his love for God, his family and his long-time girlfriend.
Arvin Jay Bandong: G DATA AV Lab Inc.
Arvin Jay Bandong is a cybersecurity professional with a strong background in software engineering. After spending 3 years as a software engineer, he transitioned into cybersecurity and has since gained 3 years of experience specializing in malware analysis, threat intelligence, and signature creation. Joining a cybersecurity conference for the first time as both a speaker and participant, he looks forward to connecting with professionals in the field and learning new things from them.