Cybercriminals are using a new trick to distribute malware: fake CAPTCHA verification pages that hijack users’ clipboards. These malicious websites deceive users into pasting harmful commands into their systems, leading to the installation of information-stealing malware such as Lumma Stealer and SecTopRAT.
How the Attack Works
This attack method exploits a simple but effective technique: clipboard hijacking. Here’s how it unfolds:
- Fake CAPTCHA Prompt – Users visit a website that appears to require CAPTCHA verification, a common security measure to distinguish humans from bots.
- Clipboard Manipulation – Instead of a real CAPTCHA, the site injects malicious text into the user’s clipboard without their knowledge.
- User Execution – The site then instructs the user to press
Win + R, open the Run dialog, and paste the clipboard contents. - Malware Download – If the user follows these steps, the command downloads and executes an information-stealing malware on their system.
Malware Involved
Lumma Stealer
Lumma Stealer is a well-known malware designed to steal sensitive user data, including:
- Browser cookies and saved passwords
- Cryptocurrency wallet information
- Autofill data from web browsers
SecTopRAT
SecTopRAT is a remote access Trojan (RAT) that gives attackers control over an infected system. It enables cybercriminals to:
- Record keystrokes
- Take screenshots
- Execute commands remotely
Both malware variants pose serious risks by compromising personal and financial information.
How to Protect Yourself
1. Be Skeptical of Online Instructions
Never follow unverified instructions from random websites, especially those prompting you to paste text into the Run dialog. Legitimate CAPTCHA services will never ask for such actions.
2. Use Security Software
Install and regularly update anti-malware software, such as Malwarebytes, to detect and block malicious websites.
3. Enable Browser Security Features
Use browser extensions that block clipboard manipulations and prevent unwanted script execution.
4. Disable JavaScript on Untrusted Websites
Many clipboard-hijacking attacks rely on JavaScript. Disabling it on unknown or suspicious websites can mitigate risks.
5. Keep Software Updated
Ensure your operating system and web browser are up-to-date to minimize vulnerabilities that attackers could exploit.
CAPTCHA
Fake CAPTCHA attacks are a growing threat, leveraging social engineering to trick users into installing malware. By staying vigilant, using security tools, and practicing safe browsing habits, you can protect yourself from these deceptive schemes.
About the Author
