Hackers Disguise Malware as Captcha

[zasad@]

Hackers Unleash Devious Malware That Steals Crypto Wallet Data Via Fake Captcha: Report
https://cryptonews.com/news/hackers-unleash-devious-malware-that-steals-crypto-wallet-data-via-fake-captchas-report/

"A new research brief published by DNSFilter indicates a rising threat to cryptocurrency users from fake CAPTCHA pages, which use deceptive “I’m not a robot” prompts to deliver malware targeting crypto wallets.

According to DNSFilter, the malicious activity was first identified by one of its managed service provider (MSP) customers. What initially appeared to be a routine CAPTCHA verification was, in fact, an attempt to deploy Lumma Stealer, a fileless malware strain capable of exfiltrating browser-stored credentials and wallet information.

While DNSFilter’s content filtering successfully blocked the attack, its researchers traced the infrastructure to reveal broader patterns of coordinated phishing efforts."

[Mia Chloe]

~snip

I read through the website and honestly if I was trying to solve a captcha and suddenly was asked to hit that command on my keyboard to proceed I'm exiting that site immediately.

The internet is getting scarier every day that passes, extensions are a nightmare, and now sadly captchas have joined sighs.... I think people that are going to be in the highest risk level are actually those that store crypto in an extension wallet. Saw something online yesterday (don't know how true though) that apple still allegedly has a security flaw for wallets.

[Upgrade00]

I read through the website and honestly if I was trying to solve a captcha and suddenly was asked to hit that command on my keyboard to proceed I'm exiting that site immediately.

This could catch out some users who are totally unsuspecting. After trying out a captcha a couple of times with no success, it can get frustrating and anything that looks like a bit of a reprieve and some will be eager to take it without thinking of the consequence or the fact that they've not experienced this before.
Got to stay vigilant all the time.

[Davidvictorson]

The internet is getting scarier every day that passes, extensions are a nightmare, and now sadly captchas have joined sighs

Which is why everyone should have at least an intermediate level of knowledge of cyber security. It is to dangerous not to know it. More devices are getting connected to the internet, a more data is being generated.

I think people that are going to be in the highest risk level are actually those that store crypto in an extension wallet.

Not just them bro, anyone with any financial information, personal information on the internet is at risk. This is just a malware that has been exposed, there are others that are active and are yet to be uncovered.

[casey15]

Threat actors are getting really creative these days and it's very scary that they use normal harmless processing for their malicious activities.
This is a call from use to be extra careful... You really cannot be too careful especially when it comes to your funds... You have to protect it at all cost.

[promise444c5]

Anything beyond checking(.) of those images  required in their boxes looks suspicious , just that most inexperienced/unaware  users will likely fall for it

Threat actors are getting really creative these days and it's very scary that they use normal harmless processing for their malicious activities.

Yes, they are getting creative and part of that creativity is what OP mentioned. There have been fake captchas before as well, only now they use more polished tricks to make them less suspicious and more effective.
This method relies on a shorthand way of executing a command with PowerShell(PS), which then downloads malware or a text file containing extra commands that can trigger the download process...The tricky part is that , the process is less suspicious because the copied command often includes the param “ -w hidden ” to make PowerShell run quietly in the background.

[Darker45]

Reading the title, I thought a simple Captcha click could open a computer to a malware. That would really be sneaky. I'm sure many will fall for it, including myself.

I was relieved after reading that it takes more than that. Although still dangerous, I guess even an ordinary person who's quite cautious when it comes to security would wonder why a simply failure to solve a Captcha would require him/her to go to Windows+R and run a command. That's a bit of a flag.

The internet is getting more dangerous by the day. One can't afford to reduce vigilance a bit. Moreover, one shouldn't keep a significant amount in a hot wallet.

[Patikno]

Hackers Unleash Devious Malware That Steals Crypto Wallet Data Via Fake Captcha: Report
https://cryptonews.com/news/hackers-unleash-devious-malware-that-steals-crypto-wallet-data-via-fake-captchas-report/

"A new research brief published by DNSFilter indicates a rising threat to cryptocurrency users from fake CAPTCHA pages, which use deceptive “I’m not a robot” prompts to deliver malware targeting crypto wallets.

According to DNSFilter, the malicious activity was first identified by one of its managed service provider (MSP) customers. What initially appeared to be a routine CAPTCHA verification was, in fact, an attempt to deploy Lumma Stealer, a fileless malware strain capable of exfiltrating browser-stored credentials and wallet information.

While DNSFilter’s content filtering successfully blocked the attack, its researchers traced the infrastructure to reveal broader patterns of coordinated phishing efforts."

Based on the information you mentioned, I see that the cyberattackers used a fake Captcha, then created a notification that the verification failed due to a network error, and then instructed potential victims to execute a command on the system, which, if executed, would result in the theft of passwords, saved 2FA tokens, crypto wallet data, remote access credentials, and even the theft of password-manager vaults. I believe this should be a concern for many people, especially beginners who are highly susceptible to this problem. Here is a direct explanation from dnsfilter : dnsfilter.com - DNSFilter's Role in Stopping a Fileless Attack

By the way, some time ago there was also an explanation regarding the vulnerability of a password manager, I think this is also worth paying attention to and is also related to our discussion this time, here it is: Bitcointalk.org @fullfitlarry - Password Managers Vulnerability

[Z-tight]

That is a well concealed scam attack and it could be a new method of attack, because this is the first time i am ever reading about this. I would not run this command if i had seen it before this thread, that is because i would be very suspicious of it, as i am about so many online activities. I believe i became more paranoid and careful since i joined the crypto network.

However, this is another good reason why you should store your funds offline, in a hardware wallet or you set up your airgapped wallet. So that if you ever make a mistake like this, you would not lose your coins.

[lionheart78]

I also read that this Malware injection sounds like ClickFix Malware.  It injects multiple trojan viruses from silently injecting lumma stealer, RATS, mintloader down to modified version of R77 to evade detection.  The malware is placed on an unknown website  clone/phishing site set by the hacker.  It is said that the process is like the person is having trouble loading the page and demands a plug-in or does a fake captcha where the hacker injects a set of malware into the process.

To avoid such malware, we should always make sure that we are visiting the right site by checking the URL and never following any instructions that enable the hacker to run a PowerShell command in our system.

 

[DYING_S0UL]

The very first red flag was that set of instructions. The moment I'm seeing something like that, I am 1000% sure that's scam. Does people actually falls for this, in 2025? What does the statistics says? I mean is it that hard to identify that it is a scam attempt? Anything to do with command prompt or the powershell is the biggest red flags, people should know that. Although in this case, it's in the background. IMO, just a little common sense and knowledge about computer is enough to avoid these malware, following some instructions just to prove I'm not a bot is the sounds too unrealistic.

[Franctoshi]

Hackers Unleash Devious Malware That Steals Crypto Wallet Data Via Fake Captcha: Report
https://cryptonews.com/news/hackers-unleash-devious-malware-that-steals-crypto-wallet-data-via-fake-captchas-report/

"A new research brief published by DNSFilter indicates a rising threat to cryptocurrency users from fake CAPTCHA pages, which use deceptive “I’m not a robot” prompts to deliver malware targeting crypto wallets.

According to DNSFilter, the malicious activity was first identified by one of its managed service provider (MSP) customers. What initially appeared to be a routine CAPTCHA verification was, in fact, an attempt to deploy Lumma Stealer, a fileless malware strain capable of exfiltrating browser-stored credentials and wallet information.

While DNSFilter’s content filtering successfully blocked the attack, its researchers traced the infrastructure to reveal broader patterns of coordinated phishing efforts."

Scammers are devising all means to try stay ahead of its victims and they're are relentless in their pursuit of defrauding a lot of people on the the internet. There was a site that I visited recently, did everything, and after solving the Captcha I won't still get in access to the acct. At some point I began to wonder if some sites are meant to just steal your information and that's all. We all really need to stay safe while surfing the internet.

[Joy_learns_crypto]

Hackers are rewriting the text books of how the operate, I haven’t see this one before but I am really patience when trying to pass a Captcha but not everyone has the patience so this is a hack that will sweep many people off their feet.
But today it is through the captcha route it will be something even more deceptive next time so don’t just go trying to be careful when you are faced with a Captcha but this is a reminder that hackers can use things you won’t be suspecting to get you.

[tech30338]

Hackers Unleash Devious Malware That Steals Crypto Wallet Data Via Fake Captcha: Report
https://cryptonews.com/news/hackers-unleash-devious-malware-that-steals-crypto-wallet-data-via-fake-captchas-report/

"A new research brief published by DNSFilter indicates a rising threat to cryptocurrency users from fake CAPTCHA pages, which use deceptive “I’m not a robot” prompts to deliver malware targeting crypto wallets.

According to DNSFilter, the malicious activity was first identified by one of its managed service provider (MSP) customers. What initially appeared to be a routine CAPTCHA verification was, in fact, an attempt to deploy Lumma Stealer, a fileless malware strain capable of exfiltrating browser-stored credentials and wallet information.

While DNSFilter’s content filtering successfully blocked the attack, its researchers traced the infrastructure to reveal broader patterns of coordinated phishing efforts."

you can avoid this by using adblocker and always update antivirus signature for latest threat, some people forget this things, up to date antivirus will save you a lot of time, avoid clicking unknown sites, and ads if you don't have adblocker.
 

[ABCbits]

FWIW it's not exactly new approach. In past, fake captcha used to trick people into downloading malware by clicking certain keyboard combination[1]. As for tricking user to enter windows command, it's spotted since early of this year[2]. Anyway, i wonder whether Microsoft will ever add warning not to enter/run unknown command when you launch "Run" with "Windows" + "R".

[1] https://www.techradar.com/news/sneaky-malware-abuses-captcha-to-bypass-browser-protections
[2] https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers

[Fiasem20]

The surge in hacking incidents is alarming, and extreme caution is essential for everyone in the crypto space. Hackers are constantly innovating, developing new and sophisticated tactics that can be deceptively subtle. Recently, they've created fake Captchas to steal users' credentials. Fortunately, platforms like Bitcointalk have active communities dedicated to keeping users informed and protected.Here are some tips I discovered online while researching how to protect your credentials from fake Captchas, sparked by my curiosity;
1.Verify the Website: Before interacting with a CAPTCHA, check the URL to ensure it’s legitimate. Look for “https://” and avoid sites with unusual domains.
2.Never Download Files from CAPTCHAs: A legitimate CAPTCHA will never ask you to download software or extensions.
3.Be Wary of Pop-Ups: Avoid clicking on pop-ups that claim urgent action is needed. Close them and navigate away.
4.Use Antivirus Software: Keep your devices secure with up-to-date antivirus tools.

[qwertyup23]

~snip

I read through the website and honestly if I was trying to solve a captcha and suddenly was asked to hit that command on my keyboard to proceed I'm exiting that site immediately.

The internet is getting scarier every day that passes, extensions are a nightmare, and now sadly captchas have joined sighs.... I think people that are going to be in the highest risk level are actually those that store crypto in an extension wallet. Saw something online yesterday (don't know how true though) that apple still allegedly has a security flaw for wallets.

Holy crap! This is definitely scary given that the task involved is mundane to the point that you will actually comply.

With the advent of technology, even scams are slowly innovating and discovering new ways to trick and deceive everyone. Like what OP mentioned, this kind of scam is exceedingly dangerous given that captcha's are mostly completed by most people. Even if some captchas require you to do outrageous tasks, most would comply just to visit that website.

I just hope that this news would alert everyone on the risks of doing captchas. This definitely turned my radar on and I will be taking steps to ensure that I do not fall victim to this disgusting scam. Thank you for sharing this, OP!

[sunsilk]

I feel worried about the non tech and impatient users. If they're not fond of reading those warnings and yet, they're just blindly follow the instructions of the notification given as to why the captcha has failed, they're definitely going to fall for it.

A worrying one if the user is really not aware of these tricks. But if it's only for specific websites, all we got to do is to verify the landing pages that we visit.

And always take notice of the error and so, we know what actually it is and we're not just gonna fall for it.

[mich]

Well there is going to always be hackers and scammers like this. They will do their best for making it so they can steal crypto funds from their victims.

We must be very careful when we do click on any of these links. If it is a link we do not know or it is a captcha we must be caregul. I did get hacked 1 time like this and now I am so much more careful when opening a link.