A recent cyberattack campaign is exploiting Windows users by using deceptive CAPTCHA pages. This attack combines multiple techniques to evade standard security measures, posing significant risks to users.
Campaign Details and Methodology
Initially detected in April 2026, the attack starts with a compromised European small-business website and aims to deploy GULoader, a malware downloader that operates from memory, onto the victim’s computer. This campaign is particularly insidious as it seamlessly integrates into regular web browsing, effectively misleading users and bypassing automated security systems.
The attack is initiated when unsuspecting users access a seemingly legitimate website via a Google search. The site appears normal, with functional product pages and contact forms. Hidden malicious code within the WordPress backend waits to activate under specific conditions, making detection challenging.
Technical Execution and Impact
Sicuranext analysts have traced the attack’s path, revealing a sequence involving a compromised WordPress site, EtherHiding to conceal payloads, a social engineering tactic named ClickFix, and the GULoader remote loader. The campaign targets only Windows desktop browsers, rendering mobile users or security scans unable to detect the threat.
Behavioral detection measures successfully halted the attack in under 300 milliseconds, preventing the GULoader from executing. Despite this, the attempt exposed significant vulnerabilities in current cybersecurity defenses.
Mechanics of the Attack
The attack commences as soon as the user lands on the compromised site. Within seconds, malicious JavaScript contacts the BNB Smart Chain Testnet to retrieve a payload, employing the EtherHiding technique. This approach exploits trusted providers like Cloudflare, making it hard to block.
Subsequently, a fake CAPTCHA overlay prompts users to execute commands that lead to the malware’s deployment. The process leverages rundll32.exe, a trusted Windows tool, to bypass security checks and load the malicious library directly into memory without alerting antivirus solutions.
Preventive Measures and Future Outlook
The attack’s command and control domain, linked to GULoader, facilitates the deployment of various malware types. Post-incident analysis confirmed no data breaches occurred, but security teams are advised to block specific network traffic and monitor DNS queries for early signs of compromise.
Organizations should review their defenses against such sophisticated threats, ensuring they can detect abnormal rundll32.exe operations. Continual vigilance and adopting advanced behavioral detection strategies are crucial to maintaining robust cybersecurity.
Indicators of compromise include specific domains and IP addresses utilized by the attackers. Security professionals must remain vigilant and utilize threat intelligence platforms to assess and respond to these threats effectively.
