Fake CAPTCHA (ClickFix) Social Engineering Used for Fileless Malware Delivery
Security researchers reported an active malware distribution technique that abuses bogus CAPTCHA pages to trick users into executing attacker-supplied commands on Windows. In the ClearFake campaign analyzed by Expel, victims land on a compromised site and are instructed to press Win + R, then paste and run a clipboard-seeded command—an approach commonly referred to as ClickFix—which results in malicious PowerShell execution. The campaign emphasizes living-off-the-land tradecraft and evasion, including proxy execution by abusing the trusted Windows script C:\Windows\System32\SyncAppvPublishingServer.vbs to launch PowerShell in hidden mode and reduce the chance of AV detection.
Separate measurement and telemetry on the same broader tactic found large-scale infrastructure supporting fake CAPTCHA lures: a Censys analysis identified 9,494 breached websites hosting counterfeit verification pages, with ~70% appearing nearly identical. The most common infection mechanisms involved clipboard manipulation leading to VBScript and PowerShell execution (with significant counts of each observed), alongside other delivery paths such as MSIEXEC-based installation of malicious Windows Installer packages. Researchers also observed use of the Matrix push command-and-control framework to support fileless deployment, noting that these intrusions can leave no traditional executable artifacts and may evade signature-based detection.
Related Entities
Organizations
Affected Products
Sources
Related Stories
Fake CAPTCHA/ClickFix Social Engineering Used to Deliver Malware and Steal Sessions
Threat actors are increasingly using **fake CAPTCHA / verification pages** as a scalable social-engineering lure to deliver malware and steal credentials by abusing users’ trust in routine web security checks. Research highlighted a large, fragmented ecosystem of lookalike fake CAPTCHA pages hosted across **~9,494 compromised sites and malicious properties**, where roughly **70%** of observed pages share near-identical visuals while delivering **dozens of distinct payload variants** via different execution models, including clipboard-driven instructions that lead victims to run **PowerShell** or **VBScript** downloaders. Separately, a **ClickFix** campaign targeting Facebook users—especially content creators and businesses seeking verification—uses fake “verification” portals to trick victims into manually extracting and submitting browser session tokens (notably `c_user` and `xs`) via developer tools, enabling account takeover without exploiting software vulnerabilities. In parallel, the **ClearFake** campaign (a malicious JavaScript framework injected into hacked websites) has adopted ClickFix-style fake CAPTCHA lures and added more evasive “living off the land” behavior, including **proxy execution** to run PowerShell through trusted Windows features and shifting distribution to a **popular CDN**, reducing the effectiveness of defenses that rely primarily on blocking known-bad domains/IPs.
1 months ago
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
3 weeks ago
Fake CAPTCHA and ClickFix Social Engineering Used to Deliver Stealer Malware
A wave of **social-engineering-driven malware delivery** is abusing “verification” and “fix” workflows to trick users into running attacker-supplied commands that install information stealers. LevelBlue reported a campaign using **fake Cloudflare-style CAPTCHA pages** on compromised websites to convince Windows users to manually execute malicious **PowerShell** commands, resulting in **StealC** deployment; StealC is described as exfiltrating browser credentials, crypto wallet data, Steam and Outlook credentials, system information, and screenshots over **RC4-encrypted HTTP** to a C2 server. Intego also identified an evolved **ClickFix** technique on macOS (“**Matryoshka**”) that leverages **typosquatting** to redirect users to pages instructing them to paste “fix” commands into Terminal; the loader then retrieves an AppleScript payload to steal browser credentials and target wallet apps (e.g., *Trezor Suite*, *Ledger Live*), including repeated fake password prompts as a fallback. Separately, other credential-theft campaigns are also leaning heavily on lures that exploit user trust and routine workflows. Morphisec described **Noodlophile** evolving from fake AI video platform ads to **fake job postings** and phishing “assessments,” delivering multi-stage stealers/RATs via techniques including **DLL sideloading**, while continuing to use **Telegram bots** for exfiltration/C2 and adding file-bloating content intended to disrupt automated analysis. These developments reinforce that user-in-the-loop execution (copy/paste commands, “verification” steps, and recruitment-themed forms) remains a high-yield initial access vector for stealers across both Windows and macOS environments.
4 weeks ago