{"id":3196,"date":"2025-03-25T09:25:43","date_gmt":"2025-03-25T16:25:43","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=3196"},"modified":"2025-03-25T09:25:44","modified_gmt":"2025-03-25T16:25:44","slug":"fake-captcha-malware-tricks-windows-users-into-installing-info-stealers","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/fake-captcha-malware-tricks-windows-users-into-installing-info-stealers\/","title":{"rendered":"Fake CAPTCHA malware tricks Windows users into installing info&nbsp;stealers"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.ssls.com\/blog\/wp-content\/uploads\/SSL_Blog_Fake-CAPTCHA.png\" alt=\"\" class=\"wp-image-3143\"\/><\/figure>\n\n\n\n<p>By now, many of us have become so familiar with CAPTCHA that it\u2019s become second nature to prove we\u2019re \u201cnot a robot\u201d without batting an eyelid, whether it\u2019s typing out an obscured text or ticking a box. But would you notice if the CAPTCHA requests went even further?<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Apparently, many people don\u2019t, considering the recent rise in threat actors exploiting CAPTCHA to trick Windows users into downloading malware like trojans and info stealers to their computers. A report from <a href=\"https:\/\/www.hp.com\/us-en\/newsroom\/press-releases\/2025\/i-am-not-a-robot-captchas-being-used-to-spread-malware-hp-warns.html\">HP examining this trend<\/a> in Q4 of 2024 blames \u201cclick tolerance,\u201d which refers to how people have grown used to completing multiple authentication steps online.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The CAPTCHA ruse<\/h2>\n\n\n\n<p>The cyberattack begins with the victim being redirected to a site run by malicious actors and prompted to complete verification steps to prove they\u2019re a human. Instead of the usual CAPTCHA, <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2025\/03\/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers\">according to Malwarebytes<\/a>, a pop-up window will appear, often saying something like this:<\/p>\n\n\n\n<p>\u201cTo better prove you are not a robot, please:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Press &amp; hold the Windows Key + R.<\/li>\n\n\n\n<li>In the verification windows, press Ctrl + V.<\/li>\n\n\n\n<li>Press Enter on your keyboard to finish.<\/li>\n<\/ol>\n\n\n\n<p>You will observe and agree:<\/p>\n\n\n\n<p>\u201cI\u2019m not a robot \u2013 reCAPTCHA Verification ID: 8253\u201d<\/p>\n\n\n\n<p>Perform the steps above to finish verification.\u201d<\/p>\n\n\n\n<p>The final two lines are presented with a tick box and a \u201cVerify\u201d button. If the user completes the steps, they will unwittingly run a malicious Powershell command and download malware. Often, it\u2019s the Lumma Stealer remote access trojan (RAT). Other campaigns used XenoRAT and malicious JavaScript code inside Scalable Vector Graphic (SVG) images that would deploy several different types of malware to the victim\u2019s computer.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What the malware can do<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.eset.com\/blog\/business\/lumma-stealer-a-fast-growing-infostealer-threat-1\/\">Lumma stealer<\/a> is a malware-as-a-service info stealer that targets various data, such as cryptocurrency wallets, user credentials, and two-factor authentication browser extensions. Meanwhile, XenoRAT has advanced surveillance capabilities, such as microphone and webcam capture, as well as the ability to control devices, exfiltrate data, and log keystrokes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to protect yourself<\/h2>\n\n\n\n<p>Vigilance is key. Mindlessly following instructions from a pop-up online is never good, and that\u2019s doubly so when it comes from an unfamiliar website you\u2019ve never visited before. Extra steps you can take include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Installing a browser extension to block malicious domains and scam sites<\/li>\n\n\n\n<li>Installing anti-malware software to prevent you from downloading malicious scripts<\/li>\n\n\n\n<li>Disabling browser JavaScript when visiting unfamiliar sites<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>By now, many of us have become so familiar with CAPTCHA that it\u2019s become second nature to prove we\u2019re \u201cnot a robot\u201d without batting an eyelid, whether it\u2019s typing out an obscured text or ticking a box. But would you notice if the CAPTCHA requests went even further?<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3196","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/3196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=3196"}],"version-history":[{"count":1,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/3196\/revisions"}],"predecessor-version":[{"id":3197,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/3196\/revisions\/3197"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=3196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=3196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=3196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}