Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware

In a recent surge of sophisticated cyberattacks, threat actors have been utilizing fake CAPTCHA challenges to trick users into executing malicious PowerShell commands, leading to malware infections.

This tactic, highlighted in the HP Wolf Security Threat Insights Report for March 2025, involves directing potential victims to malicious websites where they are prompted to complete verification steps.

Once these steps are followed, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer, a widespread information stealer capable of stealing sensitive data like cryptocurrency wallets.

Exploiting User Trust with CAPTCHA Challenges

The attackers exploit user trust by creating fake CAPTCHA challenges that appear legitimate.

These challenges are often encountered through web advertisements, search engine optimization hijacking, or redirections from compromised sites.

Upon completing the CAPTCHA tasks, users are tricked into opening the Windows Run prompt and executing malicious PowerShell commands.

These commands download large scripts containing Base64-encoded ZIP archives, which are then extracted and installed on the victim’s device.

The malware uses techniques like DLL sideloading to evade detection by running through trusted processes.

Other Emerging Threats

In addition to weaponized CAPTCHAs, attackers are also leveraging other innovative methods to spread malware.

For instance, Scalable Vector Graphics (SVG) images have been used to embed malicious JavaScript code, allowing attackers to deploy remote access trojans (RATs) and information stealers.

These campaigns often involve obfuscated Python scripts, which are increasingly popular among attackers due to Python’s widespread use in AI and data science.

Another notable threat involves malicious PDF documents, which were used to target engineering companies in the Asia Pacific region with VIP Keylogger malware.

These PDFs were disguised as quotation requests and tricked users into downloading and executing malicious executables.

The rise of these sophisticated threats underscores the importance of robust endpoint security measures.

Enterprises must remain vigilant and implement strategies to mitigate such attacks, including disabling unnecessary features like clipboard sharing and restricting access to the Windows Run prompt.

Moreover, keeping security software up-to-date and leveraging threat intelligence services can help organizations stay ahead of evolving cyber threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free