Beware: Fake CAPTCHA Pop-Ups Windows that Installing LightPerlGirl Malware Stealthily

A sophisticated malware campaign, dubbed “LightPerlGirl,” is currently targeting Windows users via fake CAPTCHA pop-up windows designed to mimic legitimate security checks, such as those from Cloudflare.

The threat actors behind this campaign leverage advanced social engineering to lure users into executing malicious PowerShell commands, resulting in stealthy, fileless malware infection and persistent remote access.

The LightPerlGirl attack typically begins when a user browses to a compromised but otherwise legitimate WordPress website.

The site serves heavily obfuscated JavaScript, presenting a fake CAPTCHA dialogue that urges the user to copy and execute a PowerShell command in their Windows Run dialog a technique known as ClickFix.

According to Todyl Report, this initial command is obfuscated, bypassing basic security filters and user suspicion.

Upon execution, the PowerShell script contacts a remote command-and-control (C2) server specifically cmbkz8kz1000108k2carjewzf[.]info and downloads and runs a secondary, multi-part PowerShell payload entirely in memory.

The attack is notable for its evasion techniques: all core actions are executed filelessly, minimizing forensic artifacts and bypassing most traditional antivirus detections.

Multi-Stage In-Memory Execution

The second-stage PowerShell is architected into three core functions:

HelpIO: The main function loops until it gains administrative privileges via a UAC prompt. It then adds C:\Windows\Temp as a Windows Defender exclusion, shielding subsequent payloads from detection.

Urex: This function fetches a secondary batch file (evr.bat) from the C2 server, dropping it as LixPay.bat within the excluded Temp folder. A shortcut (LixPay.url) is then placed in the user’s Startup folder, ensuring the malware re-launches persistently across system reboots.

ExWpL: Here, a base64-encoded .NET assembly is decoded and loaded directly into process memory using .NET reflection. The code is executed entirely in-memory, never touching disk—a hallmark of modern, fileless attack techniques designed to evade endpoint protections.

The evr.bat batch file itself contains further instructions to operate PowerShell in hidden mode, re-establishing C2 contact (often with the same infrastructure) to fetch and execute additional payloads or attacker commands at runtime.

Threat Analysis

Todyl’s security researchers uncovered LightPerlGirl after detecting anomalous PowerShell activity in a client environment lacking endpoint security controls.

While the initial vector relies heavily on social engineering and user compliance, the campaign exhibits technically advanced persistence, defense evasion, and in-memory execution capabilities.

The presence of Russian-language strings and a “Copyright (c) LightPerlGirl 2025” identifier suggest a nontrivial threat actor, although attribution and ultimate intent remain unclear.

Network analysis reveals C2 beaconing activity to several IP ranges, and the campaign employs both obfuscated scripting and Windows system abuse to maintain access and operate covertly.

Notably, the malware can survive reboots and sidestep Windows Defender, giving attackers a resilient foothold.

Indicators of Compromise (IOC)

Type	Indicator
Malicious Domain	cmbkz8kz1000108k2carjewzf[.]info
C2 IP Ranges	146.70.115.0/24, 91.92.46.0/24, 94.74.164.0/24
Dropped Batch File	C:\Windows\Temp\LixPay.bat
Persistence Shortcut	%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\LixPay.url
Suspicious PowerShell	Obfuscated commands contacting the above domains/IPs
Secondary Payload Path	https://cmbkz8kz1000108k2carjewzf[.]info/evr.bat

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates