Fake CAPTCHA Sites Hijack Clipboard to Install Malware
We recently came across a concerning trend: malicious websites posing as CAPTCHA verification pages are hijacking users’ clipboards to trick them into installing information-stealing malware. (Malwarebytes first documented this risk in March 2025.)
If your organization or team uses browsers regularly—and especially if non-technical staff may get redirected to unfamiliar sites—this threat deserves serious attention.
How the Attack Works
Here’s the typical flow of the scam:
- A user visits a website (often promising media, articles, download links, etc.).
- The site presents a fake “prove you’re not a robot / CAPTCHA” prompt.
- Once the user interacts (e.g. clicking a checkbox), the site quietly copies a dangerous command to the clipboard using JavaScript.
- The site then instructs the user to:
- Open the Windows Run dialog (Win + R).
- Press Ctrl + V to paste
- Hit Enter
- What appears pasted is only the tail of a longer command. The hidden portion—obfuscated or disguised—invokes a system tool (like mshta.exe) to fetch and execute malicious payloads (e.g. encoded PowerShell scripts).
- The result: the user essentially executes malware themselves, often an information stealer (such as Lumma Stealer or SecTopRAT).
Because the user performed the “installation” themselves via copy-paste, many security defenses (which focus on blocking downloads) may not catch this behavior.
Why This Is Dangerous
– It exploits trust and user action rather than relying solely on drive-by downloads.
– Victims may see only innocuous-looking text (or partial commands), masking the malicious content.
– The attacker uses legitimate system utilities (like mshta) to carry out the payload, making detection harder.
– Many users won’t question “paste + run” instructions, especially if they think it’s part of a legit verification process.
Recommended Safeguards & Best Practices
To reduce the risk of falling victim to clipboard hijacking attacks, consider adopting the following:
- Never follow unexplained website instructions or paste commands you don’t fully understand. Cybercriminals often disguise malicious code as harmless text to trick users into executing malware themselves.
- Use a reputable anti-malware or endpoint protection platform to automatically detect and block suspicious domains, scripts, and clipboard-hijacking attempts.
- Install browser security extensions or content blockers to stop malicious JavaScript and prevent access to known dangerous websites before they can load.
- Choose browsers that enforce strict clipboard permissions and isolation, ensuring websites can’t write to or read from your clipboard without your explicit approval.
- Use a dedicated “sandboxed” browser for untrusted or high-risk sites to contain potential infections and prevent cross-site compromise of your main environment.
- Train employees—especially non-technical team members—on the dangers of “copy and paste” commands from unverified sources. Informed users are one of the strongest defenses against social engineering attacks.
COMING SOON! BPA and AI Automations Luncheon @ Foxchase
August 26, 2026 | 11:00am - 1:30pm
Event Details