Lunar Spider Campaign: FakeCAPTCHA Used to Exploit CORS Flaws and Deliver Latrodectus Loader
The group Lunar Spider—also known under the aliases Gold SwathMore and Elara—has ramped up a new malicious campaign that leverages a counterfeit CAPTCHA verification interface to infect victims’ devices. The primary vector is the compromise of vulnerable European websites through misconfigured CORS (Cross-Origin Resource Sharing) policies. On breached sites, the attackers inject a JavaScript iframe loader, dubbed iFrameOverload, which overlays a bogus CAPTCHA page called TeleCaptcha and begins monitoring user activity.
The faux interface does more than mimic a verification flow; it coerces the victim into copying a generated command to the clipboard. That command contains a PowerShell snippet that downloads an MSI package; inside the installer sits an Intel-branded executable and a malicious DLL named Latrodectus. Once executed, the EXE registers itself for autorun via a Run registry key and subsequently loads the DLL using a DLL search-order hijack. The DLL carries a digital signature that was later revoked.
Latrodectus v2.3 establishes communications with a command-and-control server and executes a wide range of reconnaissance and tasking routines. Its configuration indicates RC4 encryption support, numerous built-in modules for harvesting network and system telemetry, and the ability to fetch additional payloads.
Functionality includes probing trusted domains, enumerating user groups, detecting installed antivirus products, querying registry keys and performing other preparatory actions typical of pre-ransomware activity — a threat actor profile with which Lunar Spider has been associated in past operations.
Beyond installing malware, TeleCaptcha actively records victims’ clicks and reports activity to the attackers’ Telegram channel. User identifiers are generated from random adjective-animal combinations and persisted in localStorage to track repeat interactions. Operators show particular interest in Windows users: their actions trigger additional notifications, including prompts to operators to inspect the malware control panel.
The campaign’s infrastructure spans domains hosted on AWS, Cloudflare and Railnet, mostly registered via Asian registrars, and serves multiple roles from delivering JavaScript and the fake CAPTCHA to hosting payloads and C2 servers. Most initial-compromise sites are WordPress instances vulnerable due to lax CORS settings.
Analysis of recovered MSI installers reveals builds created with AdvancedInstaller that extract a CAB archive containing executables and auxiliary libraries. Installations run silently with automatic acceptance of terms and log actions to a file. The operators rely on well-known persistence and stealth techniques—registry autorun entries and DLL sideloading into a legitimate Intel binary—to maintain an unobtrusive foothold.
This modus operandi is an evolution of tactics first seen during the heyday of IcedID. After the takedown of that platform’s infrastructure in Operation Endgame, Lunar Spider migrated to Latrodectus while preserving a MaaS-style distribution model and early-stage dropper mechanics. Given the campaign’s sophisticated toolkit and pronounced activity across Europe—especially Germany—it poses a substantial threat to corporate networks, with the financial sector particularly at risk.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
