![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![Z buffer problem in a 2.5D engine similar to monument valley [closed]](https://i.sstatic.net/OlHwug81.jpg)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Kjetil_Kolbjornsrud_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Samsung teases Galaxy Z Fold 7 with an absolutely bizarre ‘Ultra experience’ [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/06/galaxy-z-fold-7-teaser-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![iPhone 18 Pro, iPhone Fold to Feature New A20 Chip With Advanced WMCM Packaging [Report]](https://www.iclarified.com/images/news/97494/97494/97494-1280.jpg)
HuluCaptcha – A FakeCaptcha Kit That Trick Users to Run Code via The Windows Run Command
A new and sophisticated malware distribution framework dubbed “HuluCaptcha” has emerged, leveraging fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands through Windows Run dialogs. This advanced threat represents a significant evolution in social engineering attacks, combining legitimate-looking security verification interfaces with complex multi-stage infection chains that have successfully compromised high-value targets […] The post HuluCaptcha – A FakeCaptcha Kit That Trick Users to Run Code via The Windows Run Command appeared first on Cyber Security News.
A new and sophisticated malware distribution framework dubbed “HuluCaptcha” has emerged, leveraging fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands through Windows Run dialogs.
This advanced threat represents a significant evolution in social engineering attacks, combining legitimate-looking security verification interfaces with complex multi-stage infection chains that have successfully compromised high-value targets including educational institutions and government-associated websites.
The HuluCaptcha framework operates through a carefully orchestrated attack sequence that begins with compromised WordPress websites injecting malicious JavaScript into legitimate pages.
When unsuspecting users visit these infected sites, they are automatically redirected to convincing replicas of Cloudflare security verification pages.
These fake interfaces present users with familiar CAPTCHA-style challenges, instructing them to complete verification steps that involve pressing Windows+R keys and pasting what appears to be legitimate verification code.
An independent security researcher, Gi7w0rm, first identified this sophisticated campaign after a colleague fell victim to the attack while visiting the website of the German Association for International Law.
The researcher’s comprehensive analysis revealed that this framework extends far beyond simple social engineering tactics, incorporating advanced victim tracking capabilities, automated payload generation systems, and even affiliate tracking mechanisms that suggest potential commercialization efforts.
The malware’s impact has been substantial, with confirmed infections spanning multiple continents and affecting diverse organizational sectors.
Victims include the Los Angeles Caregiver Resource Center, various educational institutions, and healthcare organizations.
The framework has been observed deploying multiple malware families including Lumma Stealer, Aurotun Stealer, and Donut Injector variants, demonstrating its versatility as a malware-as-a-service platform.
.webp)
What distinguishes HuluCaptcha from typical fake CAPTCHA attacks is its sophisticated infrastructure and technical implementation.
The framework incorporates real-time victim behavior tracking, environmental reconnaissance to ensure compatibility with specific browser versions, and complex evasion mechanisms designed to bypass security solutions.
The attack chain involves multiple domains and staging servers, creating redundancy that enhances the campaign‘s resilience against takedown efforts.
Advanced Infection Mechanism and Persistence Tactics
The HuluCaptcha infection mechanism demonstrates remarkable technical sophistication in its multi-layered approach to compromise and persistence.
The initial infection vector involves injecting carefully crafted JavaScript code into compromised WordPress websites, specifically targeting theme files such as main.min.js.
This malicious script performs comprehensive environmental reconnaissance before executing, checking for Windows operating systems and validating specific browser version ranges for Microsoft Edge, Google Chrome, and Mozilla Firefox.
The injected code establishes communication with command-and-control infrastructure through multiple fallback mechanisms.
Primary communication occurs via analytiwave.com/api/getUrl, with secondary fallback to hardcoded domains like goclouder.com.
The script dynamically constructs tracking parameters including the infected hostname and base64-encoded domain information, enabling attackers to monitor campaign effectiveness across their compromised website portfolio.
Once environmental checks are satisfied, victims are redirected to sophisticated fake Cloudflare verification pages hosted on domains designed to mimic legitimate security services.
These pages employ advanced JavaScript tracking mechanisms that monitor user interactions including checkbox clicks, Windows key combinations, and browser focus events.
The framework logs each interaction stage, from initial “Verify Clicked” events to detecting Windows+R key combinations through browser blur events, providing attackers with detailed intelligence about victim compliance rates.
The persistence mechanism involves deploying multiple WordPress backdoors simultaneously, including sophisticated plugin-based backdoors that create hidden administrator accounts.
These backdoors implement comprehensive stealth features, modifying WordPress SQL queries to hide the malicious accounts from administrative interfaces, falsifying user count statistics, and automatically reactivating if discovered and removed.
The framework’s redundant persistence ensures continued access even if individual components are detected and remediated.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
The post HuluCaptcha – A FakeCaptcha Kit That Trick Users to Run Code via The Windows Run Command appeared first on Cyber Security News.
