The Anatomy of a "Paste n Run" Phishing Attack

Overview

A sophisticated phishing technique where attackers trick users into executing malicious code through a fake CAPTCHA interface — no exploit required, just social engineering.

The Attack Flow

1. User lands on a page mimicking a reCAPTCHA screen
2. Clicking “I’m not a robot” secretly copies a PowerShell command to the clipboard
3. The page displays fake verification instructions:
   • Press Windows + R
   • Press Ctrl + V
   • Press Enter
4. The user unknowingly executes the malicious command

No vulnerability exploited. Just the user’s trust in UI patterns.

The Malware Chain

The initial PowerShell payload downloads and executes a ZIP file containing Lumma Stealer — a sophisticated information-stealing trojan.

The deobfuscated second-stage script:

• Creates hidden directories in AppData
• Downloads and extracts malicious executables
• Establishes persistence via Windows registry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)

What Lumma Stealer Does

• Steals cryptocurrency wallet credentials
• Extracts saved browser passwords and cookies
• Harvests system information and running processes
• Has a self-update mechanism — attackers can expand functionality post-infection

File Structure

The extracted malware package contains 34 files across multiple directories:

• Delphi-compiled libraries (.bpl files)
• Configuration files
• Both 32-bit and 64-bit DLL dependencies

This level of structure suggests a professional malware-as-a-service operation.

How to Stay Safe

• Be skeptical of CAPTCHA pages that ask you to run commands — legitimate CAPTCHAs never do this
• Keep your OS and antivirus up to date
• Use a password manager and enable two-factor authentication
• Avoid downloading from untrusted sources
• If you run something you shouldn’t have: disconnect from the network immediately and run a full scan