Fake CAPTCHAs are being used to spread malware – and we only have ourselves to blame

Spread the love

HP Threat Insights Report reveals new malware campaigns
Victims have their data exfiltrated by a remote access trojan
Attackers have been observed using fake CAPTCHA verification pages

New research has claimed victims are increasingly infecting themselves with malware thanks to a surge in fake CAPTCHA verification tests – taking advantage of a growing ‘click tolerance’ as users are increasingly accustomed to ‘jumping through hoops to authenticate themselves online.’

This isn’t the first report to flag this attack, with security researchers identifying fake CAPTCHA pages spreading infostealer malware in late 2024, but HP’s latest Threat Insights Report now warns this is on the rise.

Users were commonly directed to attacker-controlled websites, and then pushed to complete convincing but fake authentication challenges.

Table of Contents

More campaigns identified

These false CAPTCHAs usually trick users into running malicious PowerShell commands on their device that install a Lumma Stealer remote access trojan – a popular infostealer capable of exfiltrating a wide range of sensitive information, like browser details, email credentials, client data, and even cryptocurrency wallets.

Fake CAPTCHA spreading wasn’t the only threat uncovered, with attackers also able to access end-users webcams and microphones in concerning attacks spread via social engineering attacks, primarily using open source RAT and XenoRat to control devices, exfiltrate data, and log keystrokes.

Alongside this, attackers were observed delivering malicious JavaScript code “inside Scalable Vector Graphic (SVG) images to evade detection”. These images are opened “by default” in browsers, and the embedded code is executed, “offering redundancy and monetization opportunities for the attacker” thanks to the remote access tools.

“A common thread across these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations,” said Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab.

“Even simple but effective defence evasion techniques can delay the detection and response of security operations teams, making it harder to contain an intrusion. By using methods like direct system calls, attackers make it tougher for security tools to catch malicious activity, giving them more time to operate undetected – and compromise victims endpoints.”