CAPTCHA Archives

Tech Optimizer

June 5, 2025

Fake DocuSign and Gitcode sites are tricking victims into downloading malware – here’s what you need to know

Researchers at DomainTools Investigations (DTI) have identified counterfeit websites mimicking platforms like DocuSign and Gitcode, designed to lure users into downloading malware, specifically a remote access trojan (RAT). These fraudulent sites use tactics such as fake CAPTCHA prompts to enhance credibility and prompt users to download malicious software disguised as necessary updates. The operation employs a multi-stage downloader PowerShell script, reminiscent of older scams that alarmed users with popups about virus infections. Users are advised to be cautious with unfamiliar websites and verify the authenticity of download prompts.

Winsage

May 25, 2025

Windows Passwords Are Under Attack — Do These 7 Things Now

Microsoft Windows is a target for cybercriminals, particularly regarding password theft. Trend Micro has reported an increase in fraudulent Captcha attacks that trick users into executing malicious commands through the Windows Run dialog, leading to data theft and malware infections. These attacks utilize PowerShell and can deploy various malware types, including Lumma Stealer and AsyncRAT. Despite efforts to disrupt the Lumma Stealer network, threats persist, exploiting legitimate platforms. Microsoft recommends users adopt safer online practices and outlines seven mitigations for organizations: disable access to the Run dialog, apply least privilege, restrict access to unapproved tools, monitor unusual behavior, harden browser configurations, enable memory protection, and invest in user education.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Tech Optimizer

May 5, 2025

How to Easily Uninstall McAfee Antivirus Completely

McAfee can appear on computers without user consent, often pre-installed on new laptops or bundled with other software. To uninstall McAfee on Windows 10 or 11, users can access the Settings app or Control Panel to remove it. For Mac users, the McAfee Total Protection Uninstaller can be used, but some residual files may need to be deleted manually. If standard uninstallation methods fail, the MCPR removal tool can be used to thoroughly clean up remnants of the software. Uninstalling McAfee is generally not detrimental, as many users prefer alternative antivirus solutions or rely on built-in protections provided by their operating systems.

BetaBeacon

April 27, 2025

What is Steam: The popular gaming platform explained

Steam is a platform and app for distributing video games online that also has social media features and community message boards.

Winsage

March 17, 2025

Invisible Windows Rootkit Hides Dangerous Files Using This Prefix

Obscure#Bat is a malware campaign targeting Windows users that uses obfuscated batch scripts to deploy a user-mode rootkit, which can hide its activities from standard security measures. It stores hidden scripts in the Windows Registry and can conceal files, registry entries, and running processes through application programming interface hooking. The malware can embed itself within legitimate Windows processes, making it undetectable by conventional security methods, and is capable of deleting evidence of its activity. Attackers use social engineering tactics, such as fake CAPTCHA tests and legitimate software tools, to lure victims into executing the malicious batch file. The rootkit obscures files, processes, or registry keys that begin with the “$nya-” prefix and is identified as an open-source ring-3 rootkit known as r77. It avoids kernel modifications and relies on registry and scheduled tasks for persistence, allowing it to evade detection by traditional kernel-based security tools. Windows users are advised to be cautious of social engineering tactics and to inspect batch files in a text editor before execution.

Tech Optimizer

December 24, 2024

‘Fix It’ social-engineering scheme impersonates several brands

Malicious actors are increasingly exploiting web browsers to deliver malware, often bypassing conventional antivirus defenses through sophisticated social engineering. A notable tactic involves copying harmful commands into the clipboard, allowing victims to execute them unknowingly. Recent investigations revealed a campaign using malicious advertisements and counterfeit pages that mimic reputable software brands, leading victims to a fake Cloudflare notification that prompts them to execute specific key combinations. This process triggers PowerShell code that retrieves and installs malware. The investigation began with a suspicious advertisement for a 'notepad' application, which redirected users to a Cloudflare-like page asking them to verify they are human. Instead of a standard CAPTCHA, users encountered a prompt instructing them to follow steps that would inadvertently execute a malicious command. By clicking a 'Fix It' button, the harmful command is copied to the clipboard, and users are led to paste and run it, initiating a download from a remote domain. The campaign targeted several brands, including Microsoft Teams, FileZilla, UltraViewer, CutePDF, and Advanced IP Scanner. The same domain linked to the malicious PowerShell command for Notepad++ also appeared in another campaign. Indicators of compromise include various malicious domains and URLs associated with the malware and its command and control server. Malwarebytes provides protection against these threats.

Winsage

November 28, 2024

RomCom exploits Firefox and Windows zero days in the wild

ESET researchers discovered a critical vulnerability, CVE-2024-9680, in Mozilla products exploited by the Russia-aligned group RomCom. This vulnerability, with a CVSS score of 9.8, affects various versions of Firefox, Thunderbird, and the Tor Browser, allowing code execution within the browser's restricted context. When combined with another Windows vulnerability, CVE-2024-49039, attackers can execute arbitrary code in the context of the logged-in user. The exploit can be triggered simply by visiting a malicious web page, enabling the installation of RomCom's backdoor without user interaction. RomCom has been linked to the exploitation of significant zero-day vulnerabilities, including the earlier use of CVE-2023-36884 via Microsoft Word in June 2023. The newly identified vulnerability was reported to Mozilla on October 8th, 2024, and patched the following day. The vulnerability is a use-after-free bug in Firefox's animation timeline. Further investigation revealed CVE-2024-49039, a privilege escalation bug in Windows, which Microsoft patched on November 12th, 2024. RomCom has targeted various sectors in 2024, including governmental entities in Ukraine, the pharmaceutical sector in the US, and the legal sector in Germany, among others. The compromise chain begins with a fake website that redirects victims to a server hosting the exploit. ESET identified multiple command-and-control servers used by RomCom, employing deceptive naming schemes to obscure their intentions. The exploit utilizes shellcode that executes arbitrary code by manipulating animation objects in Firefox. The vulnerability was patched by Mozilla within a day of its discovery. The RomCom backdoor is capable of executing commands and downloading additional modules onto the victim's machine. Indicators of compromise include specific JavaScript files and DLLs associated with the exploit.

Tech Optimizer

October 23, 2024

New Trojan.AutoIt.1443 Hits 28,000 Users via Game Cheats, Office Tool

Cybersecurity experts from Dr.Web have discovered a cyber attack involving Trojan.AutoIt.1443, targeting approximately 28,000 users primarily in Russia and neighboring countries. The malware disguises itself as legitimate applications and is spread through deceptive links on platforms like GitHub and YouTube, leading to password-protected downloads that evade antivirus detection. Key components of the malware include UnRar.exe and scripts named Iun.bat and Uun.bat, which facilitate its installation while erasing traces of activity. The malware scans for debugging tools, establishes network access via Ncat, and manipulates the system registry to maintain persistence. Its operations include cryptomining using SilentCryptoMiner and cryptostealing through a clipper tool that swaps cryptocurrency wallet addresses. The campaign has affected users drawn to pirated software, highlighting the risks of downloading from unverified sources.

Tech Optimizer

October 14, 2024

Windows users are being tricked by sneaky malware scheme

A new strain of malware called Lumma Stealer has been identified, which is being spread through deceptive human verification pages that mimic legitimate Google CAPTCHA interfaces. When users interact with these fraudulent pages, they are misled into executing a PowerShell script that installs the malware. The malware is downloaded in a file named "dengo.zip," which, when unzipped and run, activates Lumma Stealer and connects to attacker-controlled domains. To protect against such threats, users should keep their Windows systems and software updated, use robust antivirus software, scrutinize CAPTCHA pages, avoid running unfamiliar commands, and implement two-factor authentication.