Fake CAPTCHA Sites Hijack Clipboard to Install Malware

We recently came across a concerning trend: malicious websites posing as CAPTCHA verification pages are hijacking users’ clipboards to trick them into installing information-stealing malware. (Malwarebytes first documented this risk in March 2025.)

If your organization or team uses browsers regularly—and especially if non-technical staff may get redirected to unfamiliar sites—this threat deserves serious attention.

How the Attack Works

Here’s the typical flow of the scam:

  1. A user visits a website (often promising media, articles, download links, etc.).
  2. The site presents a fake “prove you’re not a robot / CAPTCHA” prompt.
  3. Once the user interacts (e.g. clicking a checkbox), the site quietly copies a dangerous command to the clipboard using JavaScript.
  4. The site then instructs the user to:
    1. Open the Windows Run dialog (Win + R).
    2. Press Ctrl + V to paste
    3. Hit Enter
  5. What appears pasted is only the tail of a longer command. The hidden portion—obfuscated or disguised—invokes a system tool (like mshta.exe) to fetch and execute malicious payloads (e.g. encoded PowerShell scripts).
  6. The result: the user essentially executes malware themselves, often an information stealer (such as Lumma Stealer or SecTopRAT).

Because the user performed the “installation” themselves via copy-paste, many security defenses (which focus on blocking downloads) may not catch this behavior.

Why This Is Dangerous

– It exploits trust and user action rather than relying solely on drive-by downloads.
– Victims may see only innocuous-looking text (or partial commands), masking the malicious content.
– The attacker uses legitimate system utilities (like mshta) to carry out the payload, making detection harder.
– Many users won’t question “paste + run” instructions, especially if they think it’s part of a legit verification process.

Recommended Safeguards & Best Practices

To reduce the risk of falling victim to clipboard hijacking attacks, consider adopting the following:

  • Never follow unexplained website instructions or paste commands you don’t fully understand. Cybercriminals often disguise malicious code as harmless text to trick users into executing malware themselves.
  • Use a reputable anti-malware or endpoint protection platform to automatically detect and block suspicious domains, scripts, and clipboard-hijacking attempts.
  • Install browser security extensions or content blockers to stop malicious JavaScript and prevent access to known dangerous websites before they can load.
  • Choose browsers that enforce strict clipboard permissions and isolation, ensuring websites can’t write to or read from your clipboard without your explicit approval.
  • Use a dedicated “sandboxed” browser for untrusted or high-risk sites to contain potential infections and prevent cross-site compromise of your main environment.
  • Train employees—especially non-technical team members—on the dangers of “copy and paste” commands from unverified sources. Informed users are one of the strongest defenses against social engineering attacks.