Ukraine’s computer emergency response team says Sandworm, the Russian military intelligence hacking group, has been using fake CAPTCHA pages on compromised websites to coax Ukrainian targets into infecting their own Windows machines.
In a report published Wednesday, CERT-UA said it saw the group change parts of its initial-access playbook during the spring and summer. The newer technique, known as ClickFix, abuses a familiar security ritual: a website asks a visitor to prove they are human. In these cases, according to CERT-UA, the page instead tells the person to copy and run a PowerShell command.
That is the whole trick. The victim supplies the execution step that browser defenses and endpoint tools are supposed to make harder. The command pulls down malware, giving the operators a way to keep access to the computer and add more tools later, CERT-UA said.
How the fake CAPTCHA chain works
CERT-UA said the first-stage malware in this campaign is called GhettoVibe. After that, Sandworm operators can deploy ScoutCurl, a reconnaissance tool that gathers details about the infected machine. The agency said ScoutCurl can collect system information, a list of installed programs, files and browser data, giving the attackers a basis for deciding whether the machine is useful enough to keep working.
The Ukrainian agency also reported two loader tools in the activity: FluidLeech, which is presented to victims as software for removing antivirus products, and LoadLoop.
CERT-UA said it found the ClickFix technique on more than 10 compromised websites in June and July. The agency did not say how many devices were infected.
Old lures are still in use
The CAPTCHA ruse does not replace Sandworm’s older social-engineering habits, according to CERT-UA. The agency warned that the group is also targeting Android devices with malware masquerading as security apps and distributed through messaging services. Once installed, the Android malware can quietly collect contacts, files, device information and live location data, CERT-UA said.
CERT-UA also pointed to a long-running Sandworm tactic: seeding torrent sites with infected copies of Microsoft Windows and Office installers. Victims looking for pirated software receive a backdoored installer instead. In at least one case, CERT-UA said, that route gave the hackers a foothold inside a Ukrainian government network before a destructive cyberattack against a central executive authority.
The agency said Sandworm has also used Signal to approach targets, including military personnel, and persuade them to install fake antivirus tools. According to CERT-UA, the operators sometimes spent weeks building trust before asking targets to run malicious files, and in some cases offered money for following instructions.
A familiar operator with a new wrapper
Western governments and cybersecurity researchers have linked Sandworm to Russia’s GRU military intelligence agency. The group has been active since at least 2013 and has been blamed for some of Russia’s most prominent destructive cyber operations, including attacks on Ukraine’s power grid.
The mechanics here are low glamour, which is part of the point. A fake CAPTCHA, a copied command and a Windows shell are enough if the operator can make the request look routine. CERT-UA’s warning is aimed at that human gap: a security prompt that asks users to paste code into PowerShell is not a security prompt.
This story draws on original reporting from The Record.