Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain

Security practices against fake CAPTCHA attacks

These fake CAPTCHA campaigns continue to grow in sophistication, with threat actors employing advanced techniques such as multistage obfuscation, in-memory script execution, and, in some cases, hiding obfuscated JavaScript within seemingly benign MP3 files. Primary delivery methods include phishing emails — with embedded malicious links or attachments — and malvertising on untrusted websites.

Regardless of the entry point, the attack chain typically relies on obfuscated JavaScript or PowerShell scripts to retrieve and execute a variety of payloads. These are often delivered with the help of loaders like Emmental to download information stealers such as Lumma Stealer and Rhadamanthys, or RATs like AsyncRAT and XWorm.

We expect future fake CAPTCHA attacks to embed payloads in other uncommon formats beyond MP3 and HTA files. While malvertising and phishing emails remain the main distribution methods, attackers might begin experimenting with social media platforms or messaging apps to deliver shortened or disguised links.

The continued use of mshta.exe and PowerShell is likely due to their accessibility in most environments. However, we might also see increased use of other living-off-the-land binaries (LOLBins) to evade detection, such as rundll32 and regsvr32.

Here are some security best practices for defending against these attacks:

Disable access to the Run dialog (Win + R). This is advisable in environments where restricting user access to administrative tools and script execution is a priority. This reduces the risk of executing malicious PowerShell or MSHTA commands and limits the misuse of native Windows utilities.

Apply the principle of least privilege. Apart from restricting the Run dialog, ensure that users are granted only the permissions required for their tasks. This includes restricting write or execute access to sensitive directories, disabling script execution where not needed, and preventing elevation to admin privileges without approval workflows. Reducing privilege levels limits the ability of users (and malware) to execute system-altering commands.

Restrict access to unapproved tools and file-sharing platforms. Maintain a baseline of approved software and block access to public file-sharing services if not required for business use. Controlling access helps reduce the risk of unauthorized downloads and limits the attacker’s ability to deliver or load additional components.

Monitor for unusual clipboard and process behavior. As these attacks demonstrated, users can be socially engineered into pasting and executing malicious commands from the clipboard. Monitoring abnormal clipboard activity — such as encoded commands or suspicious script fragments — can provide early warning signs. It’s also important to track process behavior, particularly in environments where users interact with web content, PDFs, or messaging apps. Watch for abuse patterns, such as media players or browsers spawning unexpected executables or script interpreters, which could indicate payload delivery.

Harden browser configurations. Configure browsers to reduce exposure to SEO poisoning, malvertising, and script-based threats. This includes restricting JavaScript execution on untrusted or unknown domains, enabling filters to block malicious ad networks, disabling autoplay and mixed content to reduce risk from embedded scripts, and removing unnecessary browser plugins or extensions — especially those with elevated permissions or outdated components.

Enable memory protection features. There are built-in OS-level controls in Windows environments that can be enabled to detect in-memory execution, reflective DLL injection, and other evasive techniques. These protections help defend against multistage, fileless payloads that bypass traditional file-based detection.

Invest in user education. Training users to recognize suspicious links or phishing emails significantly reduces the risk of compromise. Awareness around safe browsing — even on production networks — is critical, as threats like the fake CAPTCHA attacks exploit user trust and social engineering tactics.

MDR is crucial in defending against fake CAPTCHA campaigns. MDR services provide continuous monitoring, proactive threat hunting, and rapid response, helping to quickly detect and contain suspicious behaviors or threats before significant damage occurs. In campaigns like these, where attackers rely on evasive, fileless techniques and socially engineered execution, MDR enables real-time telemetry correlation across endpoints, network traffic, and user behavior. This visibility is essential for identifying unusual patterns, such as script-based execution chains or anomalous process launches, and initiating timely containment actions.

Trend Micro solutions for endpoints and networks include behavior monitoring, predictive machine learning (PML), and  web reputation service (WRS) that detect behavioral anomalies, preemptively block unknown threats, and prevent access to malicious URLs. Behavior monitoring helps detect suspicious activities in real time, such as clipboard manipulation, execution via mshta.exe or powershell.exe, and other living-off-the-land techniques, by analyzing how processes behave rather than relying solely on signatures. PML provides proactive protection against new and unknown threats by analyzing file characteristics before execution, blocking obfuscated loaders and malicious scripts even without prior knowledge of the specific malware. WRS blocks access to malicious or compromised URLs, preventing users from being redirected to fake CAPTCHA pages.

Proactive security with Trend Vision One™

Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.

Trend Micro™ Threat Intelligence

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend Research on emerging threats and threat actors.  

Trend Vision One Threat Insights

Trend Vision One Intelligence Reports App (IOC Sweeping) 

• Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain

Hunting Queries 

Trend Vision One Search App 

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

       Fake CAPTCHA_Stealer

malName:(EMMENHTAL OR RHADAMANTHYS OR XWORM OR LUMMASTEALER) AND eventName:MALWARE_DETECTION AND LogType: detection

More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled. 

Indicators of Compromise

The indicators of compromise for this entry can be found here.

Read More HERE