New malware campaign masks itself as “I’m Not a Robot” checks

A new malware scam disguises itself as a fake “I’m not a robot” CAPTCHA, tricking users into running malicious commands that can steal personal data and compromise their systems.

What happened 

A deceptive malware scheme has emerged, using fake “I’m not a robot” browser verification pages to trick users into executing malicious PowerShell commands. The malware was discovered in February 2025. 

When victims land on compromised or malicious sites, they’re shown a CAPTCHA-style prompt that instructs them to press Win + R, paste the clipboard contents, and hit Enter, releasing a hidden PowerShell payload copied invisibly to their clipboard. 

Going deeper

The approach combines social engineering with technical discretion:

• How the trick works: The fake CAPTCHA page secretly copies a hidden command to your clipboard. When you follow the instructions to press Win + R, paste, and press Enter, you unknowingly run a malicious script.
• What the script does: It uses PowerShell, a built-in Windows tool, to download more malware designed to steal passwords, browser data, crypto wallets, and other personal info.
• Why it’s sneaky: The malware hides itself well. It runs without leaving files on your computer, avoids antivirus detection, and even checks if it's being watched by security software before doing anything suspicious.

In the know

A CAPTCHA, short for Completely Automated Public Turing test to tell Computers and Humans Apart, is a security tool used on websites to make sure you’re a real person and not a bot.

They work by requiring you to:

• Check a box that says “I’m not a robot”
• Select traffic lights or crosswalks in a set of images
• Type in wavy or distorted letters and numbers

These tests help protect websites from spam, fake accounts, and automated attacks by making it hard for software (bots) to pass.

Go deeper: What are CAPTCHAs?

Protecting yourself

• Never execute clipboard commands via the Run dialog: Legitimate CAPTCHA systems won’t ask you to open PowerShell or paste content.
• Treat “I’m not a robot” prompts with caution: Especially on shady or pirated sites, fake CAPTCHA could be weaponized.
• Enable endpoint detection and response (EDR): Track atypical PowerShell commands and hidden behaviors.

Why it matters

This cyberattack combines social engineering with technical trickery to bypass traditional security measures. By mimicking a familiar CAPTCHA prompt, the attackers take advantage of users’ trust in everyday web interactions, making people unknowingly run harmful commands on their own devices. Since the malware is delivered through legitimate tools like PowerShell and runs without leaving obvious traces, it can easily slip past antivirus programs. 

As cybercriminals develop smarter and more convincing methods, the line between what’s safe and what’s malicious becomes harder to spot.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What is malware?

Malware is malicious software designed to harm, exploit, or steal data from a computer system without the user's consent.

What is PowerShell?

PowerShell is a powerful scripting tool built into Windows.

Can antivirus software detect these kinds of threats?

Not always. Some malware runs in memory or uses hidden techniques to hide from traditional antivirus programs.

What should I do if I think I fell for a scam like this?

Disconnect from the internet, run a full antivirus scan, and consider seeking help from a cybersecurity professional to clean your system and secure your accounts.