Ddos 
A complex and evasive infrastructure dubbed HelloTDS is silently steering millions of internet users into the clutches of malware—particularly FakeCaptcha, a social engineering attack masquerading as CAPTCHA verification. According to a new threat report from Gen Threat Labs, HelloTDS is not just a network of shady redirects, but a meticulously engineered Traffic Direction System (TDS) that filters victims and delivers targeted malicious payloads based on detailed browser and network fingerprinting.
“We have discovered an elaborate infrastructure actively used to deliver multiple variants of FakeCaptcha and other malicious content to select users,” Gen Threat Labs stated in their analysis.
Unlike indiscriminate malware campaigns, HelloTDS doesn’t throw bait to everyone. The system first assesses victims through multiple layers:
- Geolocation and IP scrutiny
- Browser behavior analysis
- Detection of VPNs or headless browsers
Those who pass the vetting are redirected to payloads including FakeCaptcha, tech support scams, Fake Updates, and malicious downloads.
“The server will respond with a large JavaScript that performs heavy client-side fingerprinting,” the report explains. “A JSON object… is Base64-encoded and sent in the md parameter to the rotated URL.”
This multi-stage fingerprinting enables the attacker to avoid detection by researchers and hone in on unprotected targets.
In just April and May 2025, Gen Threat Labs reported blocking over 4.3 million infections across the globe. The most affected regions in sheer volume were the United States, Brazil, India, and Western Europe. However, when adjusted for population size and user base, Balkan nations and parts of East Africa—including Rwanda, Kenya, Egypt, and Tanzania—were shown to be at highest relative risk.
The primary entry points include seemingly legitimate streaming sites, torrent mirrors, and file-sharing platforms—many of which are controlled by the attackers. In particular, domains like dailyuploads[.]net and streamtape[.]com serve malicious scripts embedded directly into downloadable content pages.
“These websites are cloned from some existing file sharing service and controlled by the same threat actor,” the report alleges. “Security or data privacy is clearly not a priority.”
This direct embedding bypasses traditional ad-based malware delivery methods, giving attackers full control.
FakeCaptcha pages are cleverly disguised to resemble legitimate CAPTCHA dialogs. Users are tricked into entering malicious PowerShell commands into their Run dialog, unwittingly infecting their devices with LummaC2, RATs, and information stealers.
To evade detection, recent variants utilize Unicode math fonts—a novel technique that makes it harder for security tools to recognize familiar command sequences.
“A new variant of FakeCaptcha… avoids detection by employing Unicode math fonts,” the researchers observed.
Other decoys used include fake antivirus alerts, health scams, and crypto investment pages, depending on the victim’s profile.
The HelloTDS network is built on a large set of rotating domains, typically registered with Pananames in Panama, using Let’s Encrypt TLS certificates. These domains often end in .top, .shop, or .com, and use randomized subdomains to thwart pattern matching.
One telling sign of a HelloTDS server is the presence of a bizarre HTTP header: Access-Control-Allow-Headers: megageocheckolololo.
Additionally, all HelloTDS domains return “Hello!” at the /hi endpoint—an odd but consistent signature that inspired the name.
In controlled environments—like security labs or known VPNs—the same HelloTDS redirects often return clean, harmless pages. This behavior, researchers suggest, is a built-in defense against analysis:
“We suspect that if the IP address originates from a known VPN or anonymizing service… HelloTDS delivers benign content to obscure its actual behavior.”
The dynamic nature of the campaign makes blacklisting difficult and automated detection nearly impossible.
By combining infrastructure control, behavioral fingerprinting, and evasive payload delivery, the threat actors behind HelloTDS have raised the bar for stealth and scale.
As Gen Threat Labs warns:
“The FakeCaptcha campaign is increasing its stealth by mimicking legitimate software websites.”
Users are urged to avoid sketchy streaming or file-sharing services and refrain from interacting with suspicious CAPTCHA dialogs—especially those that prompt unusual keyboard actions.
Related Posts:
- Stealthy New Golang Trojan Exploits Fake Certificates for Evasive Communication
- British police trial new mobile fingerprint device: identify criminals within 1 minute
- SonicWall Confirms Critical CVE-2024-40766 Vulnerability Actively Exploited in the Wild
- Akira Ransomware Exploits SonicWall SSLVPN Flaw (CVE-2024-40766)
Donate