Security Advisory: Fake CAPTCHA Scams are Tricking Users into Running Malicious Commands

We are seeing a growing attack technique where threat actors use fake “Verify you’re human” CAPTCHA pages to trick users into running malicious commands on their own systems.

This technique, tracked by Microsoft and multiple security vendors as ClickFix, relies on user action rather than a software exploit. Once executed, it commonly leads to credential theft, session hijacking, or remote access malware.

Learn what this attack looks like, why it works, and what to do if it occurs in your environment.

What This Attack Looks Like

The page often appears legitimate at first.

Common indicators include:

• A normal-looking website that suddenly displays a CAPTCHA or security check
• Instructions telling the user to:
  • Click a button labeled Copy, or copy a highlighted “verification code”
  • Press Windows + R
  • Paste the copied text into the Run dialog
  • Press Enter to “verify”

That action is the attack.

Legitimate CAPTCHA checks never require users to:

• Open Run
• Open PowerShell
• Open Terminal
• Open Command Prompt
• Copy or paste commands

If a page asks for any of these steps, assume it is malicious.

Why This Works

ClickFix succeeds because it exploits behavior, not vulnerabilities.

Contributing factors include:

• Users are conditioned to click through prompts quickly
• Frequent security dialogs have created verification fatigue
• The attacker never executes malware directly
• The user runs the payload on the attacker’s behalf

Once executed, the impact often includes:

• Information-stealing malware
• Compromised credentials and sessions
• Remote access capabilities
• Follow-on account compromise

Because execution is user-driven, detection may occur after the initial action.

What To Do If You See This

If you encounter a CAPTCHA or security prompt that asks you to copy and paste anything:

• Close the browser tab immediately
• Do not paste anything into Run, PowerShell, Terminal, or Command Prompt
• Do not continue on the site
• If you arrived via an ad or pop-up, do not return

Treat the page as hostile and move on.

If You Already Ran the Command

Treat this as a potential security incident.

Immediate actions:

• Disconnect the affected device from the internet
• Stop logging into email, portals, banking, or any sensitive systems from that device
• Do not attempt self-cleanup or run additional commands

Next steps:

• Reset passwords from a known-clean device
• Review recent sign-in and authentication activity for suspicious access
• Check for signs of credential theft, persistence, or remote access
• Validate the endpoint using your security tooling or with assistance from your IT or security provider

If you cannot confidently confirm the device is clean, reimage it using a known-good base image.

Assume compromise until proven otherwise.

Prevention Reminders to Share with Users

• Real CAPTCHAs never ask you to copy or paste commands
• Any “verification” requiring system tools is a scam
• Many of these attacks originate from ads or manipulated search results
• Slow down and navigate directly to trusted sites

User awareness remains one of the most effective defenses against this technique.

Why This Matters

ClickFix attacks are increasing because they bypass traditional exploit-based defenses and rely on human action.

Organizations that prepare for user-executed malware scenarios are better positioned to contain incidents quickly, reduce blast radius, and prevent follow-on account compromise.

If users recognize this pattern early, the attack often fails entirely.

Stay safe and stay vigilant.
– ISI Cybersecurity Team