In recent weeks, our team has responded to a growing number of incidents involving a new social-engineering tactic that’s quickly gaining traction: fake CAPTCHA attacks.
These attacks disguise themselves as the familiar “I’m not a robot” prompts we all interact with daily. But behind the scenes, they behave very differently, with dangerous consequences.
In the cases we've handled, everything looks normal at first. A user lands on a website- sometimes a sketchy site, other times a legitimate site that has been compromised- and is greeted with a standard-looking CAPTCHA box.
But the moment they click it, the page secretly copies malicious code to the user’s clipboard. Then it displays instructions like: “If the CAPTCHA doesn’t load, press Windows + R and paste the following command.”
If the user follows the prompt and pastes the clipboard contents into the Run dialog, the device immediately begins pulling down malware. We’ve seen:
This attack works because it doesn’t rely on exploiting a vulnerability- it exploits human trust in something as common as a CAPTCHA.
Attackers know that users are trained to trust CAPTCHAs. They show up on thousands of websites, from login pages to comment sections. And unlike phishing emails or fake login forms, CAPTCHAs don’t usually raise red flags. That familiarity gives attackers a perfect disguise.
We’ve also seen attackers compromise legitimate websites and embed a fake CAPTCHA, which makes the attack even harder for an average user to recognize.
We’re now advising clients to immediately stop and report any CAPTCHA that asks them to run or paste anything. A legitimate CAPTCHA will never tell you to:
Other red flags include CAPTCHAs appearing on unusual or compromised websites and unexpected clipboard activity, such as content being copied automatically after clicking a CAPTCHA. If any of these occur, it’s critical to pause and report the activity to your IT or security team immediately.
1. Build this into security awareness training
Employees must know that CAPTCHAs should never involve manual commands, clipboard actions, or Run dialogs.
2. Encourage a “stop and ask” mindset
We’d always rather answer a quick phone call or email than clean up malware.
3. Keep endpoint protections up to date
Modern EDR tools can help detect suspicious command execution even if a user makes a mistake.
4. Report suspicious pages immediately
The sooner we are aware, the faster the threat can be contained.
Fake CAPTCHA attacks are a perfect example of how attackers continue to shift away from traditional exploits and increasingly focus on manipulating human behavior. We’ve seen these attacks firsthand, and the speed at which they’re spreading makes awareness critical.