Fake CAPTCHAs, crypto disappeared in 3 minutes: the PowerShell trick of Lumma Stealer deceives 1 in 6 users

A wave of fake CAPTCHA is leading users to execute PowerShell on Windows, triggering the crypto thief Lumma Stealer. According to an analysis by DNSFilter, 23 interactions in 72 hours were recorded, with 17% of visitors following the instructions displayed on the screen (DNSFilter). Immediate result: crypto wallets emptied and funds laundered in less than 3 minutes.

According to the data collected by the incident response teams that analyzed the blocked pages between August 14 and 17, 2025, the operational window to prevent the first transfer of funds is often less than 180 seconds. Industry analysts also note that campaigns with persuasive overlays record conversion rates between 12% and 20%, consistent with the 17% detected by DNSFilter.

• Key 17% of “conversion” upon command execution.
• Tactic: verification overlay that simulates an anti-bot check and guides the execution of PowerShell.
• Impact: theft of credentials, cookies, 2FA, and wallet crypto with almost instant monetization.

An example of false CAPTCHA that prompts a “manual” verification: a warning sign not to be overlooked.

How the deception works: from the fake “I am not a robot” to in-memory malware

The false CAPTCHAs mimic the classic “I’m not a robot,” but instead of validating access, they prompt the user to press Windows+R and paste a command. This initiates a PowerShell execution that downloads and loads into memory a DLL linked to Lumma Stealer, often using a fileless technique to evade traditional antivirus software. 

Malware can disable or bypass runtime controls like AMSI (Antimalware Scan Interface) to hide payloads loaded in memory. An interesting aspect is the speed of collection: once active, the malware extracts saved passwords, cookies, session tokens, 2FA codes, and cryptocurrency wallet data.

The case observed by DNSFilter: overlay on legitimate sites

The alert was triggered when a managed provider detected a verification overlay on a European banking site: it displayed a fake DNS error and required a “manual verification.” The user was then guided to execute PowerShell, initiating the download and execution of the Lumma payload. In three days, 23 similar pages were blocked; it should be noted that almost 1 in 6 users followed the proposed steps.

Timeline of a theft in 3 minutes

1. Entry: the user visits a legitimate site or a cloned page; a false CAPTCHA with DNS error appears.
2. Social engineering: the page invites to “validate” access with Windows+R and a precompiled command.
3. Execution: PowerShell disables controls like AMSI, loads a Lumma Stealer DLL, and remains in memory (fileless).
4. Exfiltration: the malware collects browser credentials, cookies, 2FA, seed, and wallet data from crypto.
5. Monetization: the keys are used to transfer funds on DEX and mixers; laundering occurs in minutes.

Spread, variants, and related domains

The campaign has been detected repeatedly in a narrow range, with pages changing domain and graphics to evade blocks. Not all variants are fileless: some offer an executable download disguised as a “verifier.” In this context, among the domains observed in similar campaigns are human-verify-7u.pages.dev and recaptcha-manual.shop.

Why the recovery of crypto is so difficult

The speed is the main weapon of the attack. Once stolen, the funds are moved to DEX and automation tools that fragment the transactions. For this reason, the on-chain analysis teams report that laundering can occur in a few minutes, making recovery extremely complex.

Technical indicators (for SOC/IT)

• Observed Domains/URLs: human-verify-7u.pages.dev, recaptcha-manual.shop, variants on “human-verify” and “recaptcha-manual” subdomains.
• Tactics, Techniques, Procedures (TTP): social engineering via overlay; execution of PowerShell with AMSI deactivation; DLL loading in memory (fileless); credential collection from browser and wallet.
• Endpoint anomaly signals: powershell.exe process launched by explorer.exe/win+r; immediate network activity post-execution; access to browser profile directories.
• Page pattern: fake DNS error + request for “manual verification” with Windows+R combination and “copy/paste”.

Legal notice: share IOCs responsibly; avoid spreading executable commands or payloads.

Quick Guide: Immediate Defense

1. Do not paste commands suggested by web pages or pop-ups.
2. Set up DNS blocks and content filtering for suspicious domains and malvertising categories.
3. Limit the execution of PowerShell scripts for non-administrator users; enable Constrained Language Mode where possible.
4. Enable and monitor AMSI and EDR solutions with rules on processes in memory.
5. Separate the use of wallets from the main browser; prefer hardware wallets.
6. Disable password saving in the browser; use a password manager with MFA.
7. Train users with real examples of phishing and fake CAPTCHA on sensitive sites.

Countermeasures for companies

• Network segmentation and blocks at the proxy/DNS level for newly registered domains and “human-verify/recaptcha-manual” patterns.
• Policy clipboard on managed devices; alert when a site induces copy/paste of commands.
• Threat hunting on chains of process injection and on anomalous executions of powershell.exe.
• Immediate escalation playbook: host isolation, session revocation, credential rotation, invalidation of token and cookie.

Limiting the damage after the theft

• Immediately isolate the device and revoke active sessions on critical services.
• Regenerate seed phrase and move the funds to secure, uncompromised wallets.
• Enable MFA on apps independent of the browser; avoid mechanisms linked to cookie or synchronized sessions.

FAQ

How to recognize a fake CAPTCHA?

Be cautious of pages that ask for Windows+R, copy/paste of commands, or download of “verifiers”. In case of doubt, check the URL and close the page.

Is it always a fileless attack?

No. Some variants download a traditional executable; others operate entirely in memory to reduce traces on disk.

Which data are they aiming to steal?

Credentials of browsers, cookies, 2FA, data and keys of wallet crypto.

Sources and insights

• https://www.prnewswire.com/news-releases/dnsfilter-research-finds-bad-actors-using-fake-captchas-for-malware-attempts-302529514.html
• https://decrypt.co/335632/how-hackers-are-using-fake-captchas-to-spread-lumma-stealer-malware
• https://cryptonews.com/news/hackers-unleash-devious-malware-that-steals-crypto-wallet-data-via-fake-captchas-report/
• https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
• https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
• https://www.chainalysis.com/blog/2025-crypto-crime-mid-year-update/