You definitely don’t want to CopyPaste this: FakeCaptcha ecosystem — Dmitrij Lenz & Roberto DaSilva

Описание: You definitely don't want to CopyPaste this: FakeCaptcha ecosystem

Presented at the VB2025 conference in Berlin, 24 - 26 September 2025.
↓ Slides: N/A
↓ Paper: https://www.virusbulletin.com/uploads...
→ Details: https://www.virusbulletin.com/confere...

✪ PRESENTED BY ✪

• Dmitrij Lenz (Google)
• Roberto Dasilva (Google)

✪ ABSTRACT ✪

Social engineering has historically been an integral part of many infection chains. Different techniques emerge within the field of social engineering, with some achieving widespread usage. This was observed with the "FakeCaptcha/FixIt" TTP during the latter half of 2024. "FakeCaptcha/FixIt" attacks involve tricking victims into copying commands from malicious websites or emails and then executing them in their command-line interface.

The TTP was so effective that multiple threat actors began to sell builders for these landing pages, with services tailored to different delivery mechanisms (e.g. email spam, malvertising). Simultaneously, several distinct internal implementations were discovered, each connected to a specific threat cluster. Finally, some actors utilize a drive-by distribution method and adopt only the narrative, while others combine the technique with other methods, such as FakeUpdate.

Although attacks might appear identical from the user's point of view, the exact implementations are different. This presentation details each implementation including their infrastructure, observed stages, final payloads, and a service component if such exists. Additionally, given that most kits underwent continuous development throughout 2024 and 2025, we will illustrate how some implementations have evolved over time. Our pipelines enable reliable collection of malware that is distributed by FakeCaptcha, providing a statistical overview of the ecosystem and its players. We will also see how more espionage-oriented actors are embracing the same technique. Espionage kits are often built from readily available components found in crime FakeCaptcha kits, with the addition of more advanced cloaking mechanisms.

Finally, we will examine the factors that make this technique effective, such as diminished value of PS-Execution policy and resonating comments like "I am not a robot - reCAPTCHA Verification ID" after the command. Some shared attributes among various implementations will be highlighted to help with monitoring and prevention.