Fake CAPTCHA Scam Deploys StealC Malware to Steal Passwords, Crypto, and Windows Data
scsecFebruary 20, 20262 Mins read 
Fake CAPTCHA Scam Tricks Windows Users Into Installing StealC Malware
A new social engineering campaign is targeting Windows users with fake CAPTCHA verification pages to trick them into running PowerShell commands that install the StealC information-stealing malware. This malware can exfiltrate passwords, cryptocurrency wallets, Steam accounts, Outlook credentials, system information, and screenshots.
How the Scam Works
The attack begins when a user visits a legitimate website that has been compromised by attackers. Malicious JavaScript embedded in the site displays a CAPTCHA page that closely mimics Cloudflare’s verification interface. Instead of a real challenge, the page instructs users to press Windows Key + R, then Ctrl + V, and Enter, claiming this is required to verify their identity.
This method, known as ClickFix, leverages user trust in familiar security checks. In reality, a malicious PowerShell command is already on the clipboard and executes immediately, bypassing browser download prompts and security warnings.
Once executed, the PowerShell script connects to a remote server to retrieve position-independent shellcode created using the Donut framework, which is reflectively loaded into memory. This launches a custom 64-bit PE downloader compiled with Microsoft Visual C++, which retrieves the final StealC payload and injects it into svchost.exe, a legitimate Windows process.
StealC then communicates with its command-and-control (C2) servers over HTTP, using RC4 encryption and Base64 encoding to obscure traffic. Dual-layer string obfuscation hides C2 addresses, targeted file paths, and database queries.
Risks and Targets
StealC actively harvests:
- Browser credentials
- Email logins (Outlook)
- Cryptocurrency wallet information
- Steam authentication data
- System screenshots and other sensitive data
The malware’s largely in-memory, multi-stage infection chain makes it difficult to detect and analyze. Attackers can use stolen credentials for account takeover, financial fraud, or lateral movement across networks.
How Organizations Can Reduce Risk
Because the attack exploits built-in Windows tools and relies on user interaction, mitigation requires behavioral monitoring and stricter access control. Recommended defenses include:
- Monitor for fileless attack behaviors such as encoded PowerShell commands, shellcode injections (VirtualAlloc/CreateThread), and suspicious process injections into svchost.exe.
- Alert on anomalous access to browser credential stores, crypto wallets, and unexpected clipboard-to-execution activity.
- Restrict interactive script execution by hardening PowerShell, limiting abuse-prone utilities, and enforcing enhanced logging with AMSI visibility.
- Implement application control policies (WDAC, AppLocker) to block unsigned binaries, reflective loaders, and unauthorized scripts.
- Monitor outbound network traffic for unusual User-Agent strings, suspicious domains, and C2 communication patterns.
- Reduce endpoint credential exposure by limiting browser-stored passwords, isolating privileged accounts, and separating sensitive wallets or admin access from daily browsing.
- Test incident response plans with tabletop exercises for fileless malware attacks.
Collectively, these measures strengthen defenses against socially engineered, fileless attacks like StealC.
1 Comment
Leave a Reply
Related Articles
Fake Android Antivirus App TrustBastion Steals Banking Credentials and Sensitive Data
Fake Android Antivirus App TrustBastion Steals Banking Credentials A new Android malware...
Severe Flaws in Bitwarden, LastPass, and Dashlane Put 60 Million Users at Risk, Researchers Warn
Researchers Urge Password Manager Giants to Strengthen Security After Severe Flaws Discovered...
Keenadu Android Backdoor Embedded in Firmware Grants Hackers Full Control Over 13,000 Devices
Here is your rewritten article with all key points included, followed by...
Chinese State-Backed Hackers Exploit Critical Dell Zero-Day to Gain Stealthy Root Access Since 2024
Here is your rewritten article with all key points included, followed by...
This fake CAPTCHA scam is a perfect example of how social engineering can bypass traditional security measures. Users should be extremely cautious about following on-screen instructions from unfamiliar websites, even if they look legitimate. Organizations need to monitor for fileless attacks, restrict PowerShell misuse, and educate employees about these types of scams to prevent credential theft and financial losses.