Fri 17 Jul 2026 / 10:59 ET
Kernel
Internet 3 min read

Ukraine says Sandworm is using fake CAPTCHAs to plant malware

CERT-UA says Russia’s GRU-linked Sandworm unit used Clickfix lures on compromised sites to infect Ukrainian targets with custom malware.

Dana Voss

By Dana Voss / Security Correspondent

Ukraine says Sandworm is using fake CAPTCHAs to plant malware
img: Ars Technica

Ukraine’s computer emergency response team says Sandworm, the Russian military intelligence hacking unit tied to the GRU, has adopted Clickfix, a social-engineering trick that turns a fake CAPTCHA into a malware installer.

CERT-UA said this week that the campaign targeted sensitive Ukrainian organizations and has run from spring into summer. The agency said at least one organization’s network was compromised after a connected device was found infected with FreakyPoll, one of Sandworm’s custom malware tools.

Clickfix is low-tech in the way too many effective attacks are low-tech: it asks the victim to do the dangerous part. Instead of exploiting a browser bug, the attacker-controlled page shows a CAPTCHA-like prompt and tells the visitor to copy a block of text into a terminal. That text is a command. Once the user runs it, the script can fetch malware, write files, or steal data.

What CERT-UA says Sandworm changed

CERT-UA said it found more than 10 compromised websites that displayed a PowerShell command inside a bogus human-verification prompt. The prompt claimed the check was needed to prove a real person was using the device. The useful translation is: please run this attacker-supplied script with your own hands.

According to CERT-UA, one version of the command could download and place a Visual Basic Script file in the Windows Startup folder, which gives the malware a way to run again after reboot. The agency identified one such component as GhettoVibe.

After that first step, CERT-UA said Sandworm could load ScoutCurl, a PowerShell reconnaissance tool. ScoutCurl collects basic system details, installed programs, files, and browser data, then sends the information out to an attacker-controlled system. CERT-UA said the operators used that information to decide whether a compromised machine was worth more attention.

Machines judged valuable could receive additional tools. CERT-UA named FreakyPoll, a Python backdoor, along with FluidLeech, which masquerades as antivirus software, and LoadLoop.

Compromised sites, cloaking, and a blockchain lookup

CERT-UA said the attackers used the Cloaking.House service to filter visitors and decide what content they should see. Cloaking systems are common in malware delivery and phishing because they help show one page to targets while hiding the malicious page from researchers or automated scanners.

The agency also said Sandworm used code it tracks as SmartAxe. CERT-UA said SmartAxe can alter what a visitor sees on a web page, including displaying the fake CAPTCHA. The code dynamically obtains a remote domain name through an Ethereum smart-contract call, using an eth_call request with a contract address and function selector embedded in the code. That is a lot of machinery to produce a fake “prove you are human” box, which is roughly the point.

CERT-UA also described other Sandworm activity. One Android backdoor campaign, tracked as CowardDuck, uses lures to persuade targets to install malicious apps. The tool gathers potentially sensitive files and sends them to a server controlled by the attacker, according to the agency.

The advisory said Sandworm previously relied heavily on booby-trapped pirated software distributed through torrent trackers. CERT-UA also said the group has used long conversations on Signal to build trust before pushing malware disguised as security software.

CERT-UA urged website administrators and hosting providers to check for web shells, unauthorized extensions, and other signs that attackers have modified sites. That advice is boring, which is why it is useful: Clickfix works only after somebody gets a malicious prompt in front of the right user.

This story draws on original reporting from Ars Technica.

More Internet/

view all ↗