CAPTCHA Archives

Winsage

March 6, 2026

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a social engineering campaign named ClickFix that exploits the Windows Terminal application to deploy Lumma Stealer malware. Detected in February 2026, this campaign instructs users to access Windows Terminal using the Windows + X → I shortcut, enhancing its perceived legitimacy. Attackers evade detection by manipulating users into executing harmful commands through deceptive prompts. The attack chain involves pasting a hex-encoded command into Windows Terminal, which opens additional Terminal and PowerShell instances, leading to a PowerShell process that decodes a script. This process downloads a ZIP payload containing a renamed 7-Zip binary, which extracts files and initiates a multi-stage attack, including retrieving payloads, establishing persistence, configuring Microsoft Defender exclusions, exfiltrating data, and deploying Lumma Stealer by injecting it into "chrome.exe" and "msedge.exe." Lumma Stealer targets browser artifacts to harvest credentials. A secondary attack pathway involves downloading a batch script that writes a Visual Basic Script to the Temp folder and connects to Crypto Blockchain RPC endpoints, also using QueueUserAPC() for code injection into browsers to extract data.

AppWizard

February 18, 2026

What Happens When You Make Signal Your Main Messaging App?

Signal is an open-source, encrypted messaging app known for its commitment to privacy, favored by developers, journalists, and security experts. The app prioritizes user privacy by default, encrypting all messages, calls, group chats, and files, and limiting metadata collection through features like sealed sender, disappearing messages, and view-once media. Users may face challenges such as difficulty in registering (e.g., requiring a VPN for access) and a sparse contact list, which can lead to feelings of isolation. Signal operates as a nonprofit, prioritizing user privacy over monetization and advertising. The app is designed for those who need stringent encryption, though some users may find services like WhatsApp sufficient for their needs. The experience of using Signal can create barriers to engagement and connection, despite its privacy benefits.

Winsage

February 18, 2026

Attackers steal Windows users’ data using fake CAPTCHA checks

Fraudsters are using counterfeit CAPTCHA confirmation pages to deploy StealC, an information-stealing malware targeting Windows systems. Users are tricked into visiting compromised websites where a fake CAPTCHA prompts them to execute a sequence of keystrokes that runs a malicious PowerShell command. This command connects to a remote server, downloads shellcode, and injects the StealC payload into svchost.exe. Once installed, StealC collects sensitive information such as browser credentials, email data, and cryptocurrency wallet details, facilitating fraud and account hijacking. The malware operates primarily in the system's RAM, making detection difficult.

Tech Optimizer

February 16, 2026

How to Uninstall McAfee on Windows 11 (3 Methods Including winget)

To uninstall McAfee on Windows 11, go to Settings → Apps → Installed apps, find McAfee, and select Uninstall. Alternatively, use the command winget uninstall --id "McAfee.TotalProtection" in an elevated terminal. After uninstalling, run McAfee’s MCPR removal tool to remove any leftover files and registry entries. Windows Security (Defender) will automatically activate after McAfee is removed. McAfee is often preinstalled on Windows 11 laptops by manufacturers like Dell, HP, Lenovo, and ASUS. It is recommended to create a system restore point before uninstalling and ensure you have administrative rights. After uninstalling, check for any remaining McAfee entries in installed apps, running services, Task Manager processes, leftover folders, and scheduled tasks. If issues arise during uninstallation, booting into Safe Mode or using the MCPR tool can help. Windows Security is a built-in antivirus that activates automatically after McAfee removal, providing protection.

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Winsage

January 6, 2026

ClickFix attack uses fake Windows BSOD screens to push malware

A new social engineering attack campaign called ClickFix is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into executing malware. Initially identified in December by Securonix as "PHALT#BLYX," the campaign involves phishing emails that appear to be notifications from Booking.com, often mentioning significant refunds to create urgency. Victims are directed to a counterfeit Booking.com site that mimics the legitimate one and displays a fake error message prompting them to execute a malicious command. This command launches a PowerShell script that downloads and compiles malware known as DCRAT, a remote access Trojan that allows attackers to control infected devices, exfiltrate data, and spread within networks.

Winsage

December 4, 2025

This Windows Update Pop-Up Is a Scam

Hackers have exploited Windows update screens to deliver malware disguised as a "critical security update," a tactic known as the ClickFix attack. This attack uses social engineering techniques, including fake error messages and CAPTCHA forms, to trick users into executing harmful commands. The scam appears as a pop-up mimicking the standard Windows blue screen but originates from a malicious domain. Users are prompted to paste and execute harmful commands, leading to malware installation. Researchers from Huntress have detailed this attack, noting that malicious code can be embedded within PNG images. Although recent law enforcement actions have reduced the presence of malware payloads on these domains, the threat remains. Users should be cautious of any update screens that do not show a progress indicator or require manual command input, as these are signs of a ClickFix attack. Microsoft releases security updates on the second Tuesday of each month, and users are advised to enable automatic updates and consider disabling the Windows Run box for added security.

AppWizard

November 27, 2025

Epic Games Store Down Right Now? Why The PC Launcher Is Having Issues

The Epic Games Store is experiencing significant disruptions, with many PC players unable to log in, access their game libraries, or launch titles due to issues with Epic Online Services (EOS) login systems. An active incident titled “EOS Login Issues” has been logged for November 26, 2025, affecting not only the Epic Games Store but also popular games like Fortnite, Rocket League, and Fall Guys. Epic has acknowledged the problems and is investigating, but no timeline for resolution has been provided. Reports indicate that thousands of players are facing launcher errors and login loops. The root cause appears to be a malfunction within EOS, which is responsible for user authentication. Players are advised to check Epic’s status page and avoid local troubleshooting measures. The outage disrupts free game claims, store sales, and access to online titles, but players should not lose their games or purchases as they are linked to their Epic accounts.

TrendTechie

November 26, 2025

Официальный сайт Xubuntu был взломан — вместо торрента распространялся вредоносный файл для Windows

Recent advancements in user verification technology have introduced innovative methods to confirm user identity, enhancing security and user experience. One notable implementation is a visually engaging captcha system that combines graphical elements and interactive features, prompting users to confirm their humanity through simple actions. This system may include captivating SVG graphics requiring user interaction, such as checking a box, accompanied by messages like "Please verify you are a human." Additionally, developers are exploring machine learning algorithms to analyze user behavior patterns for better differentiation between human users and bots, reducing false positives and improving security without hindering legitimate users.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.