Fake CAPTCHAs: the new Trojan horse that hackers use to infect your computer
Cybersecurity experts point out that the number of fake CAPTCHAs has been increasing in recent months
Who would have thought that a simple "I'm not a robot" checkbox could be so dangerous? Cybercriminals have found fake captchas to be an effective way to distribute malware, fooling even digitally savvy users. A recent analysis by cybersecurity firm ESET reveals how these fake verification mechanisms are on the rise and have become tools for mass infection.
The deception behind fake captchas: this is how they operate
The technique, dubbed ClickFix, is based on the manipulation of human behavior. A page appears with a convincing CAPTCHA, and clicking on the supposed verification triggers a browser feature that automatically copies malicious code to the user's clipboard.
The site then displays a message that looks like a legitimate technical instruction: it asks the user to open the "Run" command (Windows + R), paste the contents of the clipboard (Ctrl + V), and press Enter. What seems like a harmless step actually triggers the execution of a malicious script, initiating the download of malware without any additional intervention.
What's most disturbing is that this method doesn't require any system vulnerabilities or outdated software - everything happens at the user's initiative, manipulated into a false sense of legitimacy.
What types of malware are being spread with this method?
ESET warns that fake captchas are not tied to a single type of threat. Attackers use them as a gateway for a variety of malware families, including:
The level of sophistication of these campaigns is remarkable. Malicious portals often mimic trusted sites, use valid HTTPS certificates, and present polished interfaces to enhance their credibility. In many cases, attackers rely on poisoned SEO techniques, malvertising campaigns, and even file-sharing platforms to redirect victims to decoy pages.
How to avoid falling into these traps disguised as security
ESET recommends paying attention to certain patterns and behaviors that may alert you to a possible scam:
In addition, it is recommended to configure browsers and systems to prevent access to the clipboard without explicit permission. Most modern browsers already include measures to mitigate this type of abuse, but human intervention remains the weak point.
What was once just a mechanism to avoid bots has now transformed into a direct route to spreading sophisticated threats. Fake captchas are gaining ground thanks to their effectiveness, and the only real defense remains user awareness. If a site asks you to execute commands, even if it looks professional, be suspicious by default. In digital security, family isn't always safe.

