{"id":11016,"date":"2025-02-26T07:55:10","date_gmt":"2025-02-26T15:55:10","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=11016"},"modified":"2025-02-26T07:57:10","modified_gmt":"2025-02-26T15:57:10","slug":"dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/","title":{"rendered":"DNS Early Detection &#8211; Fast Propagating Fake Captcha distributes LummaStealer"},"content":{"rendered":"<div style=\"border: 1px solid #02bd4d; padding: 30px 20px 20px; margin-bottom: 30px;\">\n<h3>Bulletin<\/h3>\n<p>   <strong>Who: <\/strong><\/p>\n<ul class=\"list-spacing\">\n<li>Between October 2024 and early February 2025, multiple news sources and blogs reported on LummaStealer malware distributed via fake CAPTCHA.<\/li>\n<li>The information stealer is active across various sectors, primarily targeting users who store sensitive information in their browsers and cryptocurrency wallets.<\/li>\n<li>Identity-based threats pose a substantial risk to any organization as it allows actors to bypass controls using credentials from legit users. According to the <a href=\"https:\/\/cdn.prod.website-files.com\/63e25fb5e66132e6387676dc\/679bc0561e9ed06d78d5d9c0_The-Global-Cost-of-Ransomware-Study.pdf\" target=\"_blank\"><strong>January 25 \u201cGlobal cost of ransomware study\u201d<\/strong><\/a>, executed by Ponemon Institute, 48 percent of all respondents reported that actors target cached credentials as a key tactic to move lateral and escalate privileges.<\/li>\n<\/ul>\n<p><strong>What: <\/strong><\/p>\n<ul class=\"list-spacing\">\n<li>LummaStealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.<\/li>\n<li>LummaStealer is available through a Malware-as-a-Service (MaaS) model on various forums and collects sensitive data, such as passwords and cryptocurrency wallets. This data can be used to impersonate individuals, commit fraud or conduct further reconnaissance to gain unauthorized access to IT systems within an organization.<\/li>\n<li>Numerous commercial and open-source publications have extensively documented the use of counterfeit CAPTCHA pages to distribute LummaStealer. These CAPTCHA pages are designed to deceive users into executing commands that download uniquely crafted files capable of evading endpoint detection systems. The underlying source code for these deceptive pages has been made available from an open-source repository. By leveraging a well-known CAPTCHA service, the interaction appears legitimate to users, fostering trust and minimizing skepticism.<\/li>\n<\/ul>\n<p><img decoding=\"async\" style=\"margin-top:15px;\" class=\"blog-image\" src=\"\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-figure-1-v2.png\" alt=\"Picture 1: Sample fake CAPTCHA discovered by Infoblox\" \/><\/p>\n<p class=\"image-caption\">Picture 1: Sample fake CAPTCHA discovered by Infoblox<\/p>\n<p>Threat actors use fake CAPTCHA to increase trust and establish initial foothold by initiation obfuscated command-level run scripts. Once the scripts are running, actors can drop secondary payloads and initiate lateral movements.<\/p>\n<p><strong>Infoblox Capability: <\/strong><\/p>\n<ul class=\"list-spacing\">\n<li>Infoblox monitors threat actor infrastructure continuously by analyzing DNS traffic and changes made to domains. This results in threat intel discovering early indicators of attack before active payloads have been seen.<\/li>\n<li>The list below provides a summary of domains reported by various publicly made reports. These domains have been linked to fake CAPTCHA pages or used to distribute LummaStealer. The column in green provides the date when Infoblox detected these malicious domains and delta time before the public report was made available.<\/li>\n<\/ul>\n<table style=\"margin: 0 auto 30px;\">\n<thead>\n<tr>\n<th>Publicly Reported Domains<\/th>\n<th>Publication Date<\/th>\n<th>Infoblox Discovery<\/th>\n<th>Early Protection Metric<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span class=\"code-format\">googlsearchings[.]online<\/span><\/td>\n<td>1\/30\/25<\/td>\n<td>1\/12\/25<\/td>\n<td>18<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">sharethewebs[.]click<\/span><\/td>\n<td>1\/30\/25<\/td>\n<td>1\/13\/25<\/td>\n<td>17<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">googlsearchings[.]art<\/span><\/td>\n<td>1\/23\/25<\/td>\n<td>1\/11\/25<\/td>\n<td>12<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">Kklipderiq[.]shop<\/span><\/td>\n<td>1\/13\/25<\/td>\n<td>12\/9\/24<\/td>\n<td>35<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">amazon-ny-gifts[.]com<\/span><\/td>\n<td>1\/30\/25<\/td>\n<td>12\/5\/24<\/td>\n<td>56<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">h3[.]errantrefrainundocked[.]shop<\/span><\/td>\n<td>1\/23\/25<\/td>\n<td>1\/20\/25<\/td>\n<td>3<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">futureddospzmvq[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>9\/6\/24<\/td>\n<td>46<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">writerospzm[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">mennyudosirso[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">deallerospfosu[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">quialitsuzoxm[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">complaintsipzzx[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">bassizcellskz[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\">languagedscie[.]shop<\/span><\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<tr>\n<td><span class=\"code-format\"><\/span>celebratioopz[.]shop <\/td>\n<td>10\/22\/24<\/td>\n<td>8\/8\/24<\/td>\n<td>75<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul class=\"list-spacing\">\n<li>By using unique DNS telemetry and advanced data science, Infoblox Threat Intel provided an <strong>average early detection advantage<\/strong> of <strong>46.8 days<\/strong> before other sources publicized. Infoblox flagged these domains as \u201chigh risk\u201d so defenders can automatically block them weeks to months before active payloads are delivered.<\/li>\n<\/ul>\n<p><img decoding=\"async\" style=\"margin-top:15px;\" class=\"blog-image\" src=\"\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-figure-2-v2.png\" alt=\"figure 2\" \/><\/p>\n<p><strong>Infoblox Impact and Recommendations<\/strong><\/p>\n<ul class=\"list-spacing\">\n<li>Infoblox customers running in blocking mode using our high-risk feeds were protected from these dangerous domains.<\/li>\n<li>Given the easy access to malicious adtech services and public availability of fake CAPTCHA content, threat actors will continue and potentially increase their usage. Security organizations are urged to strengthen their defenses with DNS base intel and discover malicious infrastructure before payloads are delivered.<\/li>\n<\/ul>\n<\/div>\n<h3>Additional Information on Combating Deception and Evasion Techniques<\/h3>\n<p>A <a href=\"https:\/\/blogs.infoblox.com\/threat-intelligence\/the-hidden-dangers-of-malicious-adtech\/\" target=\"_blank\"><strong>recent research report published<\/strong><\/a> by Infoblox documented the extensive use of fake CAPTCHAs within malicious adtech. Similar to regular adtech, this scheme involves operators and malicious advertisers. Advertisers pay operators to target vulnerable victims with highly deceptive content, while remain hidden from threat researchers. This is done through large traffic distribution systems (TDS) that consist of complex meshes of domain redirections fully controlled by malicious adtech operators.<\/p>\n<p>One of these actors, tracked by Infoblox, named <a href=\"https:\/\/www.infoblox.com\/threat-intel\/threat-actors\/vextrio\/\" target=\"_blank\"><strong>VexTrio Viper<\/strong><\/a>, controls over 84,000 domains. Malicious adtech operators are often organized into individual, professional-looking entities to avoid legal scrutiny. However, combined their services provide adversaries with highly sophisticated digital tactics to carry out cybercrime, while avoiding threat research. The combination of highly deceptive content, like fake CAPTCHA and advanced evasion obtained through TDSs, impact individuals as well as the organizations they belong to.<\/p>\n<p><strong>Recommended Action<\/strong>: Click <a href=\"https:\/\/info.infoblox.com\/sec-ensecurityworkshop-20240901-registration.html\" target=\"_blank\"><strong>here<\/strong><\/a> to request a security workshop. <\/p>\n<p>To learn more about Infoblox Threat Intel and DNS early detection:<br \/>\n<a href=\"https:\/\/www.infoblox.com\/threat-intel\/\" rel=\"noopener\" target=\"_blank\"><strong>https:\/\/www.infoblox.com\/threat-intel\/<\/strong><\/a><\/p>\n<p>To learn more about Infoblox Threat Defense:<br \/>\n<a href=\"https:\/\/www.infoblox.com\/products\/threat-defense\/\" rel=\"noopener\" target=\"_blank\"><strong>https:\/\/www.infoblox.com\/products\/threat-defense\/<\/strong><\/a><\/p>\n<p>(1) List of organizations warning on LummaStealer and Fake reCaptcha<br \/>\n<a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2024\/10\/20\/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\" target=\"_blank\"><strong>https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2024\/10\/20\/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha<\/strong><\/a><\/p>\n<p><a href=\"https:\/\/blog.reveng.ai\/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1\/\" target=\"_blank\"><strong>https:\/\/blog.reveng.ai\/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1\/<\/strong><\/a><\/p>\n<p><a href=\"https:\/\/www.netskope.com\/blog\/lumma-stealer-fake-captchas-new-techniques-to-evade-detection\" target=\"_blank\"><strong>https:\/\/www.netskope.com\/blog\/lumma-stealer-fake-captchas-new-techniques-to-evade-detection<\/strong><\/a><\/p>\n<p><a href=\"https:\/\/www.eset.com\/blog\/business\/lumma-stealer-a-fast-growing-infostealer-threat-1\/\" target=\"_blank\"><strong>https:\/\/www.eset.com\/blog\/business\/lumma-stealer-a-fast-growing-infostealer-threat-1\/<\/strong><\/a><\/p>\n<p><a href=\"https:\/\/it.osu.edu\/news\/2025\/01\/13\/beware-fake-captcha-initiates-malware\" target=\"_blank\"><strong>https:\/\/it.osu.edu\/news\/2025\/01\/13\/beware-fake-captcha-initiates-malware<\/strong><\/a><\/p>\n<p><a href=\"https:\/\/labs.guard.io\/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\" target=\"_blank\"><strong>https:\/\/labs.guard.io\/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6<\/strong><\/a><\/p>\n<style>\n.green {color: #00bd4d;}\n.code-format {\n\tfont-family: 'Courier New';\n}\n.image-caption {\n    font-size: 12px;\n}\n.list-spacing li{margin-bottom:20px}\nol.list-spacing > li::marker {\n    font-weight: 700;\n}\n<\/style>\n<p><script>\njQuery('.single h1').html('<span class=\"gradient\">DNS Early Detection<\/span> \u2013 Fast Propagating Fake Captcha distributes LummaStealer');\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bulletin Who: Between October 2024 and early February 2025, multiple news sources and blogs reported on LummaStealer malware distributed via fake CAPTCHA. The information stealer is active across various sectors, primarily targeting users who store sensitive information in their browsers and cryptocurrency wallets. Identity-based threats pose a substantial risk to any organization as it allows [&hellip;]<\/p>\n","protected":false},"author":407,"featured_media":11040,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[1154,299,1155,1156,1038],"class_list":{"0":"post-11016","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-fake-captcha","9":"tag-infostealer","10":"tag-lummastealer","11":"tag-prevention-with-dns","12":"tag-vextrio-viper","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer<\/title>\n<meta name=\"description\" content=\"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer\" \/>\n<meta property=\"og:description\" content=\"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-26T15:55:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-26T15:57:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Bart Lenaerts-Bergmans\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer\" \/>\n<meta name=\"twitter:description\" content=\"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Bart Lenaerts-Bergmans\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/\"},\"author\":{\"name\":\"Bart Lenaerts-Bergmans\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/641bd9fbad20df55272970414b97ada9\"},\"headline\":\"DNS Early Detection &#8211; Fast Propagating Fake Captcha distributes LummaStealer\",\"datePublished\":\"2025-02-26T15:55:10+00:00\",\"dateModified\":\"2025-02-26T15:57:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/\"},\"wordCount\":753,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg\",\"keywords\":[\"Fake Captcha\",\"infostealer\",\"LummaStealer\",\"Prevention with DNS\",\"VexTrio Viper\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/\",\"name\":\"DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg\",\"datePublished\":\"2025-02-26T15:55:10+00:00\",\"dateModified\":\"2025-02-26T15:57:10+00:00\",\"description\":\"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg\",\"width\":612,\"height\":408},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DNS Early Detection &#8211; Fast Propagating Fake Captcha distributes LummaStealer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/641bd9fbad20df55272970414b97ada9\",\"name\":\"Bart Lenaerts-Bergmans\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/photo-bart-lenaerts-bergmans-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/photo-bart-lenaerts-bergmans-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/photo-bart-lenaerts-bergmans-96x96.jpg\",\"caption\":\"Bart Lenaerts-Bergmans\"},\"description\":\"Bart is a Senior Product Marketing Manager with over 20 years of experience in bringing security operations solutions to market. He started his career in the security industry as a product manager for SIEM solutions. In this role, he enabled security teams around the globe to detect, investigate, and stop threats within their IT infrastructure. Over the past 10 years, Bart has focused on messaging Threat Intelligence solutions as a product marketing manager at McAfee, FireEye-Mandiant, and recently CrowdStrike. As a go-to-market and technical expert, he witnessed firsthand several shifts in cybercriminal tradecraft. Bart currently focuses on communicating the compelling research from the Infoblox Threat Intel team and delivering thought leadership around the uniqueness of DNS-sourced threat intel. Based close to Boston, Massachusetts, he is currently a member of Infoblox\u2019s product and solutions marketing team. Bart holds a master\u2019s degree in Information Technology Management from Post-University of Limburg, Belgium.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/bart-lenaerts-bergmans\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer","description":"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/","og_locale":"en_US","og_type":"article","og_title":"DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer","og_description":"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/","og_site_name":"Infoblox Blog","article_published_time":"2025-02-26T15:55:10+00:00","article_modified_time":"2025-02-26T15:57:10+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg","type":"image\/jpeg"}],"author":"Bart Lenaerts-Bergmans","twitter_card":"summary_large_image","twitter_title":"DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer","twitter_description":"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.","twitter_image":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg","twitter_misc":{"Written by":"Bart Lenaerts-Bergmans","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/"},"author":{"name":"Bart Lenaerts-Bergmans","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/641bd9fbad20df55272970414b97ada9"},"headline":"DNS Early Detection &#8211; Fast Propagating Fake Captcha distributes LummaStealer","datePublished":"2025-02-26T15:55:10+00:00","dateModified":"2025-02-26T15:57:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/"},"wordCount":753,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg","keywords":["Fake Captcha","infostealer","LummaStealer","Prevention with DNS","VexTrio Viper"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/","name":"DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg","datePublished":"2025-02-26T15:55:10+00:00","dateModified":"2025-02-26T15:57:10+00:00","description":"Lumma Stealer, also known as LummaC2, is a type of malware that first appeared in 2022. It is designed to steal sensitive information from infected systems.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer-thumbnail.jpg","width":612,"height":408},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-early-detection-fast-propagating-fake-captcha-distributes-lummastealer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"DNS Early Detection &#8211; Fast Propagating Fake Captcha distributes LummaStealer"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/641bd9fbad20df55272970414b97ada9","name":"Bart Lenaerts-Bergmans","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/photo-bart-lenaerts-bergmans-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/photo-bart-lenaerts-bergmans-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/photo-bart-lenaerts-bergmans-96x96.jpg","caption":"Bart Lenaerts-Bergmans"},"description":"Bart is a Senior Product Marketing Manager with over 20 years of experience in bringing security operations solutions to market. He started his career in the security industry as a product manager for SIEM solutions. In this role, he enabled security teams around the globe to detect, investigate, and stop threats within their IT infrastructure. Over the past 10 years, Bart has focused on messaging Threat Intelligence solutions as a product marketing manager at McAfee, FireEye-Mandiant, and recently CrowdStrike. As a go-to-market and technical expert, he witnessed firsthand several shifts in cybercriminal tradecraft. Bart currently focuses on communicating the compelling research from the Infoblox Threat Intel team and delivering thought leadership around the uniqueness of DNS-sourced threat intel. Based close to Boston, Massachusetts, he is currently a member of Infoblox\u2019s product and solutions marketing team. Bart holds a master\u2019s degree in Information Technology Management from Post-University of Limburg, Belgium.","url":"https:\/\/www.infoblox.com\/blog\/author\/bart-lenaerts-bergmans\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/11016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/407"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=11016"}],"version-history":[{"count":16,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/11016\/revisions"}],"predecessor-version":[{"id":11073,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/11016\/revisions\/11073"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/11040"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=11016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=11016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=11016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}