{"id":3476,"date":"2025-06-06T12:05:04","date_gmt":"2025-06-06T12:05:04","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3476"},"modified":"2025-06-06T12:05:04","modified_gmt":"2025-06-06T12:05:04","slug":"new-phishing-campaign-hijacks-clipboard-via-fake-captcha-for-malware-delivery","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3476","title":{"rendered":"New phishing campaign hijacks clipboard via fake CAPTCHA for malware delivery"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A new wave of browser-based phishing tricks unsuspecting users into copy-pasting malicious commands into their systems, all while believing they\u2019re completing a legitimate CAPTCHA verification.<\/p>\n

According to a SlashNext research, attackers have been found cloning the Cloudflare Turnstile interface, a privacy-preserving CAPTCHA alternative to verify if a user is human, to lure users into executing a malware.<\/p>\n

Commenting on why this is an absolute winner for the threat actors, Lionel Litty, chief security architect at Menlo Security, said, \u201cThese social engineering attacks are often successful because they astutely tap into users\u2019 frustration: having to solve yet another CAPTCHA.\u201d They then go on to provide instructions that are both obscure for many users and easy to follow, Litty added.<\/p>\n

In SlashNext observations, Victims were presented with a fake security check with real-looking branding and a Ray ID, a Cloudflare-assigned identifier. After clicking \u201cVerify you are human,\u201d users are guided through key presses that unknowingly paste and run a hidden PowerShell command copied to their clipboard.<\/p>\n

These ClickFix campaigns (including the one using TurnStile CACHE) were used to deliver a range of payloads, including information stealers such as Lumma<\/a> and Stealc<\/a>, as well as full-fledged remote access trojans (RATs) like NetSupport Manager designed for full system compromise.<\/p>\n

<\/a>Fake Captcha used as new phishing frontier<\/h2>\n

SlashNext researcher Daniel Kelley warned that the observed campaign signals threat actors moving from traditional phishing that involves direct prompting of a file download, to a more sophisticated ClickFix attack<\/a> that looks like a legitimate security check.<\/p>\n

The attack begins through compromised websites containing malicious JavaScript. When users interact with these sites, they\u2019re redirected to deceptive pages that display error messages or CAPTCHA verifications, urging users to perform actions such as copying and pasting commands into their system\u2019s terminal or PowerShell.<\/p>\n

\u201cWhen a victim visits a malicious or compromised site, they see a message \u2018Checking if the site connection is secure-Verify you are human\u2019 just as they would on a real Cloudflare page,\u201d Kelley said in a blog pos<\/a>t. Subsequently, a pop-up or on-page message directs users through a sequence of key presses \u2014 including Win+R, Ctrl+V, and Enter \u2014 resulting in execution of the malware on their machine.<\/p>\n

\u201cThe concept of phishing users with fake security controls is not a new one,\u201d said James Maude, field CTO at BeyondTrust. \u201cIn the past, threat actors have had great success with phishing documents that trick users into allowing malicious macros to run using fake security checks that claim the document needs macros enabled for security.\u201d<\/p>\n

As defences have evolved and gotten better at blocking phishing email attachments that launch malicious code, threat actors have evolved their techniques, too, to find more creative ways to manipulate users into executing code, Maude noted.<\/p>\n

<\/a>Fail-proof exploit of \u2018verification fatigue\u2019<\/h2>\n

SlashNext highlighted that the campaign\u2019s success stems largely from its exploitation of human psychology.<\/p>\n

\u201cModern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they\u2019ve been conditioned to click through these as quickly as possible,\u201d Kelley added. \u201cAttackers exploit this \u2018verification fatigue,\u2019 knowing that many users will comply with whatever steps are presented if it looks routine.\u201d<\/p>\n

The absence of immediate red flags like suspicious downloads, added with deceptive design using trusted branding and interface, provides a false sense of security.<\/p>\n

\u201cWe have seen an increasing number<\/a> of this type of attack over the past several months and have had multiple customers inquire about possible ways to hinder the attack,\u201d Litty said. \u201cBecause of their limited visibility into browser behavior, AV products and other endpoint protection solutions tend to miss these attacks.\u201d<\/p>\n

Litty noted a need for browser-specific solutions, including tools for browser isolation, that can detect a website that writes content into the clipboard and flag it to users.<\/p>\n

ClickFix tactics aren\u2019t anything new and have been picked up in recent years by nation-state actors, most notably in the \u201cContagious Interviews\u201d campaign linked to the North Korea-aligned Kimsuky group. Other notable state-sponsored actors known for using ClickFix include MuddyWater(Iran), APT28 and UNK_RemoteRogue<\/a>(Russia).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A new wave of browser-based phishing tricks unsuspecting users into copy-pasting malicious commands into their systems, all while believing they\u2019re completing a legitimate CAPTCHA verification. According to a SlashNext research, attackers have been found cloning the Cloudflare Turnstile interface, a privacy-preserving CAPTCHA alternative to verify if a user is human, to lure users into executing […]<\/p>\n","protected":false},"author":0,"featured_media":3477,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3476","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3476"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3476"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3476\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3477"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}