Fake CAPTCHA Lures Deploy ClickFix Infostealer In Widespread Attack

Zerowl

February 24, 2026

Fake CAPTCHA Lures Deploy ClickFix Infostealer In Widespread Attack

Phishing lures masquerading as phony CAPTCHA pages are being used to spread a new infostealer campaign connected to the well-known ClickFix malware This article explores detection suspicious powershell. . CyberProof MDR analysts have been looking into the operation, and their findings confirm that attackers are stealing a variety of sensitive data, such as VPN configurations, browser credentials, and cryptocurrency wallet information, using malicious scripts.

This article explores the campaign's mechanics, including the tools used by attackers to evade detection and the attack vectors. Technical Evaluation of the Attack When users visit hacked websites that show phony CAPTCHA prompts, the campaign starts. These prompts deceive victims into executing PowerShell commands that download malicious payloads from the infrastructure of the attacker.

In one case, the attack was initiated by an unusual clipboard reading event on January 23, 2026, which led to the detection of the first suspicious PowerShell execution. A second-stage payload was then obtained from the IP address 178.16.53.70 by a PowerShell script. Clipboard data (Source: cyberproof) The first file, cptch.bin, was found to have been created using Donut software, a program that enables Windows payloads to run straight from memory, according to analysts.

The second stage of the PowerShell script's payload tries to download more shellcode from 94.154.35.115. In order to help analysts identify the malware's actions, Microsoft Defender identified and stopped the operational security (OpSec) error that the script uses as a variable name, $finalPayload.

Following a successful download, the payload uses standard Windows APIs to allocate memory for process injection into a genuine system process, like svchost.exe. Powershell MDE execution timeline (Source: Cyberproof) Because it alters the RunMRU registry key to ensure it runs after system reboots, the malware is made to be persistent. As a result, the infection cycle can be restarted and the attackers can regain control.

Data Exfiltration and Targeted Applications After installation, the ClickFix infostealer targets a variety of applications, with a primary focus on data exfiltration from cryptocurrency wallets, VPN settings, and browsers. More than 25 browser versions are susceptible to credential theft by the malware, including specialized browsers like Tor and well-known ones like Chrome, Edge, and Brave.

Cyber Proof claims that crypto wallets like MetaMask, Exodus, and Trust Wallet, as well as VPN services like Mullvad and NordVPN, are also targeted. Silently operating in the background, the malware keeps access to the compromised system and steals confidential information to servers under the control of the attacker. Attacker C2 IP 94.154.35.115 provided the cptch.bin file (Source: cyberproof).

Suspicious IP addresses and file hashes are among the several indicators of compromise (IoCs) that have been found. Organizations should implement a number of defensive measures to lessen the likelihood of such attacks, such as: Limit Access: To disable the Run dialog and eliminate the "Run" option from the Start menu, use Group Policy. Endpoint Controls: To stop PowerShell and other native Windows binaries from starting from the Run dialog, implement an App Control policy.

PowerShell Hardening: Set execution policies to AllSigned or RemoteSigned and enable script block logging. Email Security: To enable secure attachment and link re-checking, use Microsoft Defender for Office 365. User Awareness: Inform staff members about the dangers of social engineering techniques, particularly the risks associated with copying and pasting commands from unreliable websites.

Because attackers use advanced multi-stage payload-delivery techniques to get around conventional defenses, the Fake CAPTCHA lures used in this campaign pose a serious threat. Organizations can lessen the risk posed by this changing threat by employing sophisticated detection tools, keeping a strong security posture, and training users. Sensitive data protection requires constant monitoring and sophisticated threat hunting because cybercriminals are constantly changing their strategies and payloads.

Fake CAPTCHA Lures Deploy ClickFix Infostealer In Widespread Attack

Trending News

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Wartime Usage of Compromised IP Cameras Highlight Their Danger

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

China improves the backdoor it uses to spy on telecom companies around the world.

China improves the backdoor it uses to spy on telecom companies around the world.

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Attacks on infrastructure that have physical effects are down 25%.

Attacks on infrastructure that have physical effects are down 25%.

How mistakes can help businesses improve their security programs

How mistakes can help businesses improve their security programs