New FakeCaptcha Scam Exploits URL Credentials to Distribute Malware

Cybersecurity researchers have identified a sophisticated new scam campaign that combines social engineering with technical exploits. Dubbed “FakeCaptcha,” this attack leverages URL manipulation tactics to trick users into running malicious code by exploiting the userinfo portion of web addresses and legitimate domain names to establish false credibility.

According to security analysts, the scam has been actively targeting users since early March 2025, primarily focusing on individuals seeking to verify they are “not a robot” through what appears to be familiar CAPTCHA systems:

How the FakeCaptcha Attack Works

The attack chain begins with a deceptive URL that includes a trusted domain like “google.com” placed in the userinfo section of the address (before the ‘@’ symbol), making the link appear legitimate at first glance. For example, a URL might appear as:

https[:]//google.com@help.macosoftyie[.]com/check/microsoft.doc

While many users might assume this leads to Google, the URL actually directs to “macosoftyie.com” — the attacker’s domain. This manipulated URL serves as the initial entry point for the attack sequence, which unfolds in several stages:

1. Initial Execution: The scam uses mshta.exe (Microsoft HTML Application Host) to execute JavaScript code embedded within a malicious .doc file
2. VBScript Deployment: A VBScript dropper is installed on the victim’s system
3. Persistence Mechanism: PowerShell scripts ensure the attack remains active by establishing persistence mechanisms
4. Payload Delivery: Malicious PDF files containing hidden code are downloaded and executed

What makes this attack particularly concerning is that the malicious PDF files contain code appended after their original EOF (End of File) marker. This technique allows the attackers to bypass certain security measures while performing system fingerprinting and potentially locking the user’s screen to demand payment or further interaction.

Technical Indicators of Compromise

Security researchers have identified several indicators of compromise (IoCs) associated with this campaign:

Malicious File Hashes

• 86cfecdd3dd98cf1418f1eb6272852e6a0098d244e9c289782f9626be1f5f167 – .doc file with appended script
• 7cd31e6f74bc3ee0eb87d931b4f39945ffe4262e4f192158d91e31a2163f4fe7 – PowerShell stager script
• 7e11827da7f7b1196b8484773af5ca534dce712b35de69521be2c88fc924a91f – Main malicious PDF
• 58b79f0e693c4da34e018b4dbea04c6b35d9dd0e9ce1566b709ca42c3d5f4aa8 – Screen locker PDF

Command and Control Infrastructure

• macosoftyie[.]com – Primary C&C server and API endpoint
• help.macosoftyie[.]com – Secondary C&C server used for downloading additional payloads

These malicious elements bear similarities to techniques observed in previous Emotet campaigns, where attackers use multiple stages to establish persistence and deploy additional payloads. The screen locking component also resembles techniques employed by ransomware operators, suggesting possible connections to more sophisticated threat actors.

Potential Impact and Risks

This attack can have several serious consequences for victims:

• Data theft: The malware may exfiltrate sensitive information such as credentials, financial details, and personal files
• Ransomware deployment: The screen locker component could evolve into full ransomware functionality
• Persistence: The PowerShell stager ensures the malware remains active even after system reboots
• Additional malware: The established foothold can be used to download and install other malicious software, such as banking trojans

Organizations with compromised systems may face operational disruptions, data breaches, financial losses, and reputational damage. Individual users risk identity theft, financial fraud, and loss of personal data.

Protection and Mitigation Strategies

To protect against this and similar threats, security experts recommend implementing the following measures:

1. URL awareness: Always check the full URL in your browser’s address bar, paying close attention to what appears after the ‘@’ symbol, as this is the actual destination
2. Email security: Be wary of unexpected emails containing links or attachments, particularly those claiming to require CAPTCHA verification
3. Security software: Ensure your systems are protected with up-to-date security solutions that can detect and block such threats
4. Application control: Consider implementing policies that restrict the execution of high-risk applications like mshta.exe
5. System updates: Maintain current operating system and application patches to reduce vulnerability to known exploits
6. User training: Educate users about URL manipulation tactics and how to identify suspicious links

Organizations should also consider implementing DMARC, SPF, and DKIM email authentication protocols to reduce the risk of spoofed emails reaching their users.

Connection to Other Threats

The techniques employed in the FakeCaptcha campaign have been observed in other malware operations, including Zeus variants and Altruistic Trojan. The multi-stage approach with document-based initial infection, followed by PowerShell persistence and payload retrieval, is becoming increasingly common among sophisticated threat actors.

This attack also demonstrates similarities to URL manipulation techniques seen in phishing campaigns like the Chase Transfer phishing scam, where attackers create convincing replicas of legitimate services to harvest credentials and deploy malware.

By combining several effective tactics — URL manipulation, trusted domain impersonation, multi-stage execution, and PDF exploitation — this campaign represents an evolution in attack sophistication that requires enhanced vigilance from both users and security professionals.

Conclusion

The FakeCaptcha scam demonstrates the continuing evolution of cyber threats that blend social engineering with technical exploitation. By understanding how these attacks work and implementing appropriate countermeasures, organizations and individuals can reduce their risk of compromise.

As this threat continues to develop, security researchers will monitor for new variants and techniques. Staying informed about emerging threats remains one of the most effective ways to maintain strong cybersecurity posture in today’s rapidly evolving threat landscape.