Cyber Security News

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a typically harmless security feature, to launch large-scale malware distribution campaigns.

This startling revelation uncovers how these fake captchas, interlaced with malicious advertising, are infecting users with password-stealing malware.

Over the past several weeks, cybercriminals have been leveraging fake captcha pages to trick users into executing harmful PowerShell commands.

These fake captchas appear as pop-ups on certain websites, replicating the look and feel of legitimate human verification processes.

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

When users follow the instructions to “prove they’re human,” they inadvertently execute a PowerShell command that installs malware on their systems.

A visitor activating an ad-placement process and the ad network selecting the target creative (good or bad)

This malicious software is designed to steal passwords, financial information, private files, and social media credentials.

The success of this campaign lies in its simplicity and ability to evade user suspicion. The malware execution is hidden within what seems to be a routine process, leaving most victims unaware they’ve been compromised.

The Role of Malvertising in the Attack

The distribution of these malicious captchas is facilitated by malvertising or malicious advertising. Cybercriminals purchase ad space on legitimate websites through ad networks, inserting scripts that redirect users to fake captcha pages.

Example of a full fake captcha malvertising attack flow including all services in use

These ads are sophisticated, using advanced cloaking techniques to bypass moderation checks. Once the ad is served, it collects information about the user’s device and browser, determining the best way to deliver the malicious payload.

The system relies on a Traffic Distribution System (TDS), which analyzes the user’s profile and redirects them to the fake captcha page.

This seamless redirection process, often undetectable by end users, ensures the malware campaign operates at scale without raising red flags.

Monetag and the Ecosystem of Malicious Ads

A notable player in this campaign is Monetag, an ad network accused of enabling malicious advertising.

A real example of powerful SEO – First Google Search results pointing to a Monetag-enabled site

Unfortunately, malicious actors have exploited these tools to serve fake captcha pages. By leveraging ad tracking services like BeMob to disguise their intent, attackers bypass Monetag’s content moderation, making it challenging to detect and remove harmful ads.

Monetag’s TDS domains direct link to Android/Desktop adware as well as Propeller-Ads infra

The attackers frequently update their malware scripts and captcha designs to evade detection, ensuring the campaign remains effective.

Reports indicate that these campaigns generate over one million ad impressions per day, affecting thousands of legitimate websites.

This campaign primarily targets users visiting websites offering free or pirated content, such as streaming platforms and download hubs. These sites, known for aggressive advertising practices, become unwitting participants in the attack.

In some cases, compromised websites or cloned templates are used to spread these fake captcha scripts further, increasing the scale of the infection.

Malware dropping

According to the Labs Guard in Medium, Sophisticated search engine optimization (SEO) tactics ensure these malicious websites rank highly on search engines, attracting a steady stream of unsuspecting visitors.

Once on the site, users are funneled into the fake captcha attack flow through intrusive ad placements.

To safeguard against these threats, users must adopt proactive security practices. Avoid clicking on pop-ups or captcha prompts that seem suspicious or lead to unexpected actions.

Using reputable ad blockers can minimize exposure to malvertising while keeping your operating system and antivirus software updated can help detect and prevent malware execution.

Finally, stay vigilant when browsing high-risk websites, especially those offering free or pirated content.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

20 Best Incident Response Tools in 2025

In today's digital era, organizations face an ever-growing threat landscape, with cyberattacks, data breaches, and…

1 hour ago

Chrome Use-After-Free Vulnerability Enables Remote Code Attacks

Google has rolled out a critical update for its Chrome browser, addressing a high-severity vulnerability…

1 hour ago

Windows CLFS 0-Day Vulnerability Exploited in the Wild

Microsoft has disclosed an active exploitation of a zero-day vulnerability in the Windows Common Log…

1 hour ago

Kibana Releases Security Patch to Fix Code Injection Vulnerability

Elastic, the company behind Kibana, has released critical security updates to address a high-severity vulnerability…

2 hours ago

AWS Systems Manager Plugin Flaw Allows Arbitrary Code Execution

A recently discovered vulnerability in the AWS Systems Manager (SSM) Agent, a cornerstone of Amazon…

2 hours ago

Microsoft April 2025 Patch Tuesday: Fixing 121 Vulnerabilities, Including a Critical Zero-Day

Microsoft has rolled out its April 2025 Patch Tuesday update, addressing 121 security vulnerabilities across…

13 hours ago