Fake Captcha Malware Attacking Windows Users To execute PowerShell Commands

A sophisticated malware campaign is targeting Windows users through deceptive CAPTCHA verification prompts that trick victims into executing malicious PowerShell scripts. Security experts recommend implementing robust security awareness training and advanced endpoint protection solutions capable of detecting multi-stage PowerShell attacks to protect against these increasingly sophisticated threats. This resurgence of fake CAPTCHA attacks, identified in early February 2025, represents a growing threat as attackers continue to employ social engineering tactics to bypass security measures and compromise systems. Moreover, the retrieved PowerShell scripts are intentionally large in file size, an apparent attempt to evade sandbox or emulation-based detection mechanisms that impose execution limits. Further investigation confirmed that beyond data exfiltration, the malware downloads additional components including a Telegram bot-based HijackLoader and a Golang-based backdoor disguised as legitimate software like ‘TiVo Desktop’. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. However, instead of simply proving they are human, users are prompted to execute a PowerShell command that initiates a multi-stage infection process. When users execute the deceptive command, it launches a series of complex, encrypted PowerShell scripts. The attack begins when users encounter what appears to be a standard CAPTCHA verification on compromised or malicious websites. The HTA file then triggers additional PowerShell scripts through a sophisticated multi-stage decryption process. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This command is disguised as part of the verification process, making it seem legitimate to unsuspecting users. The initial command appears as: powershell -NoProfile -Command "mshta # 'I am not a robot - rëCAPTCHA Verification ID: 2188". Researchers discovered that the attack uses XOR encryption with the key “AMSI_RESULT_NOT_DETECTED” to bypass security tools.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 13 Mar 2025 08:25:14 +0000

Cyber News related to Fake Captcha Malware Attacking Windows Users To execute PowerShell Commands

Unraveling CAPTCHA: A Comprehensive Insight Into Its History, Applications, and Efficiency - History of CAPTCHA. The inception of CAPTCHA dates back to the late 1990s when researchers at Carnegie Mellon University led by Luis von Ahn, Manuel Blum, and others, sought a solution to prevent automated bots from infiltrating online platforms. In ...
1 year ago Feeds.dzone.com Inception

Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
8 months ago Bleepingcomputer.com

Operation RusticWeb Using PowerShell Commands to filtrate Doc - Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. The PowerShell's capabilities make it an ...
1 year ago Gbhackers.com

Fake Captcha Malware Attacking Windows Users To execute PowerShell Commands - A sophisticated malware campaign is targeting Windows users through deceptive CAPTCHA verification prompts that trick victims into executing malicious PowerShell scripts. Security experts recommend implementing robust security awareness training and ...
4 hours ago Cybersecuritynews.com

Beware of Fake CAPTCHA Prompts That May Silently Install LummaStealer on Your Device - The attack specifically targets users of booking websites by presenting fake booking confirmation pages that require CAPTCHA verification to view document details. The Infection Chain Flow shows how the attack progresses from the initial visit to a ...
5 days ago Cybersecuritynews.com

Unlocking CAPTCHAs: Moving Beyond Deterrence to Detection - In the digital realm, CAPTCHA has long been viewed as a necessary annoyance, a tool employed to thwart automated bots and ensure that real human users can successfully interact with websites. A paradigm shift is underway in how we perceive CAPTCHA. ...
1 year ago Securityboulevard.com

BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian

Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
8 months ago Pandasecurity.com

Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
10 months ago Cybersecurity-insiders.com