CyberWire Daily - Browser attacks without downloads. [Research Saturday]
Episode Date: September 20, 2025Today we are joined by Nati Tal, Head of Guardio Labs, discussing their work “CAPTCHAgeddon” or unmasking the viral evolution of the ClickFix browser-based threat. CAPTCHAgeddon — Shaked Chen’...s deep dive into the ClickFix fake-captcha wave — reveals how a red-team trick morphed into a dominant, download-free browser threat that tricks users into pasting clipboard PowerShell/shell commands and leverages trusted infrastructure, including Google Scripts. Guardio’s DBSCAN-based payload clustering exposes distinct attacker toolkits and distribution paths — from malvertising and compromised WordPress to social posts and Git repos — and argues defenders need behavioral, intelligence-driven protections, not just signatures. The research can be found here: “CAPTCHAgeddon” Unmasking the Viral Evolution of the ClickFix Browser-Based Threat Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program,
which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at CS.com.
JhU.edu slash MSSI.
Hello everyone and welcome to the Cyberwires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and
vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
This type of attack is trying to fool the visitors of the website to do something that I used to do,
like updating their browser in the early phases with clear fake, or in this case, solving a capture.
We are so used to do that, so we are doing it once again.
But in this case, we are being fooled into doing something quite malicious.
In this case, running the attackers' code on our system.
That's Natital, head of Guardio Labs.
The research we're discussing today is about Kapshageddon,
unmasking the viral evolution of the ClickFix browser-based threat.
Can you walk us through how the attack actually works?
Yes, so as you all know, captures are suddenly popping up on your screen
and asking you to solve a puzzle or select where you see the traffic lights or buses and stuff like that.
And this one is actually quite the same.
You get this capture screen out of the blue.
It can be when you enter a new site or just as a pop-up,
which was the case in early ages of this attack,
a pop-up from some kind of advertisement.
And you see this capture and you'll say,
you'll say, okay, I need to solve it.
In this case, when you click on the Verify You're Human,
you'll ask to do something a bit different than usual,
which is a bunch of keyboard or keyboard.
shortcuts you need to click
and then you are proving you are
a human
but in this case you are
actually lured into running this type
of code that was copied to
your clipboard in the background without you
even knowing and when you click on
those buttons you actually
open up the run window
in your Windows system
you paste that malicious code
into it and press enter to execute
so you think
that everything is okay
but actually you just executed some malicious code
that is now going and downloading
probably an infestiller that is now being installed on your system,
gathering all the information about you,
about your browser, your credentials, your bank accounts, everything,
sending it out to the attackers.
And that's it.
It's all done in a matter of milliseconds, actually.
And you move on and everything is okay.
You didn't even know that this was,
happening in the break while.
Help me understand here, when the CAPTCHA initially pops up,
am I visiting a legitimate website that has been compromised?
Interesting question, because the propagation method of this type of attacks
evolved during the past year and a half.
It started off mostly in what we call Marvellous.
You enter those websites, content website, mostly on the gray side, gray area of streaming websites or download websites.
And you are kind of used to get those annoying new tabs and pop-ups with different types of advertisements.
And this type of propagation was used by the attackers to pop up a new capture tab on your system.
instead of some kind of creative about a new product,
you suddenly see this capture.
And because you're already visiting a website
and you just click on something and you get a capture,
it looks legit in a way
because you're used to get a capture in this kind of flow.
And this is where it all started.
And because getting those types of clicks
or pay for them with malvertising
is the quick win for the attackers.
They pay the bucks
and they get visitors clicking on those captures.
They are suddenly popping out on their screens.
This is the easy way in
and they kind of use this method
to kick it off and to see how effective it is.
And because it was so effective,
the narrative of a capture window,
they decided in the next evolution of this attack,
to get out of those more low-level malvertising websites
because usually the visitors of those websites
are not the most, you know, the best types of victims they want.
They want people with money, people with, you know,
with special social accounts, they can steal.
They want more money eventually.
So they moved on to a more.
robust type of
propagation
that involves
using some more advanced
techniques. It's a bit
more
I would say
expensive for them to use
those kinds of propagations
but at the end they get
much more valuable
customers for their
captures. And
what we saw in the past
half a year is there
switch from those marvellizing to more malicious ways of compromising websites,
legit websites with many visitors, with great search engine ratings.
So they usually get to those websites from your search results and many new visitors.
And they compromise those websites, mostly WordPress websites.
We know about the history of WordPress and compromising websites,
unfortunately, and they use
these compromises websites to
inject their own scripts into the website,
so you visit these websites,
and a few seconds after you start
to read their content, a capture is popping up
on your screen, which is, again, quite
usual to see, and you are used to that,
and you also trust the website because
you know this website. It's legit.
it's well known, but you don't know it was compromised.
So this is where the CAPTCHA has brought to a new level of,
first of all, you trust them, a new level of trust,
the better narrative here, because those are real websites,
and you can even brand this kind of fake CAPTCHA
with the logo of this website and everything,
so it looks totally legit.
But eventually, to actually read the website,
you need to solve this capture, which means you need to infect your system with a malware in this case.
Yeah, it strikes me that the brilliance of this from just a social engineering point of view
is that the CAPTCHAs are kind of a known and trusted nuisance.
You know, we hardly notice them when they pop up and we sort of reflexively click where we need to click
and try to move on.
So it seems to me like it really is effective.
in lowering our defenses because we're conditioned to complete them.
Exactly.
And this is where most of the attackers these days are focusing their efforts, on stuff,
on flows that are common for us, that are easy to get us distracted with those flows.
And capture is, unfortunately, a brilliant decision by them because captures are all
all around everywhere
and so easy to replica
to fake them.
So this is quite a good
narrative to use. And by the way
it's even worse than that
because I believe again
it's not
exactly where it all started
but it kind of
took more traction
once the genuine
white hat security
community
actually presented this kind of attack to the public
as a Rathym simulation, okay?
And unfortunately, I love John Hammond.
He's a good friend, but for the history, I guess,
it will be known as the one that presented
this fake capture to the world,
although he kind of just enhanced it
because he already saw this kind of attacking the wild,
But since then, most of the attacks were like forks of his GitHub repo.
And following that, you know, it became kept together.
We'll be right back.
At Talas, they know cybersecurity can be tough and you can't protect everything.
But with Talas, you can secure what matters.
most. With Talis' industry-leading platforms, you can protect critical applications, data, and
identities, anywhere and at scale with the highest ROI. That's why the most trusted brands and
largest banks, retailers, and healthcare companies in the world rely on Talis to protect what
matters most. Applications, data, and identity. That's Talis. T-H-A-L-E-S. Learn more at
talisgroup.com slash cyber.
Think your certificate security is covered.
By March 26, TLS certificate lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume.
That's exponential complexity, operational workload.
and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk.
Scan for vulnerabilities, streamline operations, scale security.
Visit cyberarc.com slash 47-day.
That's cyberarc.com
slash the numbers 4-7-D-A-Y.
Yeah, I have no doubt that John's intentions were in good faith,
but at the same time, he does take a lot of heat
for having set that free on the world.
I'm curious, how widespread is this campaign?
Are there particular regions or industries
that seem to be targeted?
It's quite, it varies because it started off, as I said,
mostly in malvertising.
In this case, it's like spray and prey.
You take it all around the world
because the conversion rate in this case is not high.
So you just spray it all over and you get whatever you get.
But in the last few months,
instead of seeing it
with more hits
and more kale,
you see it in a bit lower scale
but more focused
and more in high quality.
Instead of just spray and pray
with advertisements
or malvertising in this case,
this concept is being used
in more targeted,
I guess also targeted victims,
but more targeted ecosystems.
Just for an example,
you see all those
WordPress sites being compromised.
So those are one way
to do that. Other ways
are, I would say,
poison social media with links
that eventually take you to
this capture.
We even saw some
sponsored posts in Facebook
about some recipes for
cookies or something like that.
But the link there goes to a capture.
So if you want the receipt,
you need to sort of the capital.
And this allows, by the way, the attackers to also use the advanced ad network of Facebook to target specific people.
In this case, I don't know, cookie lovers, but you can use it, of course, to any kind of other audience and more high-valued audience in this case.
Right.
And we also see this, for example, one of the most targeted audience, I guess, in the past year, are users of booking.
dot com. And users, I mean hotel owners or, you know, or apartment owners that use this service
to share their hotels. And those are being targeted with targeted fishing attempts to get
their credentials to booking.com and later on use this to target their visitors. So we saw
tons and tons of attempts to get those booking.com clients.
by presenting them some kind of phishing email.
But instead of the classic, you know, click here to solve the issue
and you have the phishing login page of booking.com,
instead, you're going to a site that looks again like booking.com,
but you get this capture instead.
So it's even more legit than just trying to log in with your credentials on a fake page.
You don't need the credentials.
You will just steal everything with the credentials inside.
So they are using this more cleverly in the past few months,
less scale a bit, but much more powerful in this case.
What about evasion and persistence here?
I mean, what sort of tricks are these attackers using to bypass detection?
Well, it started quite simply at the beginning of days.
It was a plain HTML page with shell code,
power shell code that it copies to your cleboard in plain sight and everything is like so easy
to detect. But quite quickly when it got more traction, they started to use those known tricks
of obfuscating the code a bit or changing like power shell with caps and lower letters and
everything like that. Really simple, but it worked at the beginning of times. Today, they are much
more persistent with what they are doing because they are actually generating those kinds
of scams on the fly and there are tons of ways to create a malicious power shell code for
example so they are just generating a new one for every hit to the same capture page they are also
straying to mitigate detection by security companies by redirecting to the different
kinds of pages along the way and not presenting the specifically the code you are looking
for the power shell code and in this specific page. And again, all those tricks are eventually
easy to understand for security researchers and to add to their yarrow rules or the detection
mechanism. But because it's so powerful, they don't give up and always try to be
more creative. So it's a race, like almost on every other type of attack. It's a race. It will
continue forever as long as they are able to get value from this kind of attack. And as we can
see, it's here for more than almost two years now, I think, from the very first time we saw
that. And it's here to stay. So we really need to be more careful.
Well, what are your recommendations then? I mean, for both users and organizations,
What are the best ways for them to protect themselves?
Well, first of all, being familiar with this kind of attack is the most important part of it.
Because, again, us as more techy users that are used to capture us and know exactly what they're doing, how they're doing that,
it would be very, I don't know, it's strange for us to solve a capture by running code on our system.
so we won't do that
but people that are not so
aware of this type of captures
they just think
it's a new type of puzzle we need to solve
so let's try it
but if they were aware
that this type of attack is here
because again the flow is the same
you need to open a command line
in some way and paste
code into it so it will
be there on all types of fake
captures if you are familiar
with it it's the
far most important part of mitigating it.
But there are more, I don't know,
more enterprise ways to deal with it, of course.
One of the suggestions we did a few months ago
was for organizations mostly
to just disable PowerShell on their users' computers
because most users today don't use PowerShell.
And of course, those that are not coding on their computer.
So just disable it.
It's possible it's one registry key just to change it.
Organizations can do that with policy.
And at least for that, you're safe.
For home users, by the way, it's also a possibility
because, again, most home users don't use PowerShell.
So it's one way to do that, but it's a bit patchy, of course.
And again, the most important part of everything here
is to get the right security level.
for you. It's not enough to use the default security layers we have with our browser or
our system. We really need something more powerful in between that we'll know to catch those
types of attacks before they hit us.
Our thanks to Natital from Guardio Labs for joining us. We've been a lot of. We've been
been discussing their work on Capshageddon, unmasking the viral evolution of the ClickFix browser-based
threat. We'll have a link to their research in the show notes. And that's Research Saturday,
brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures
we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email.
to Cyberwire at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Thank you.