HP Inc. has issued its latest HP Threat Insights Report, warning that cybercriminals are increasingly using fake CAPTCHA verification tests to trick users into infecting themselves with malware. The findings, announced during the company’s annual Amplify Conference, highlight how attackers are exploiting users’ growing “click tolerance” resulting from frequent multi-step authentication processes.
The report, based on data from millions of endpoints running HP Wolf Security, details real-world cyberattacks observed between October and December 2024. According to HP, the “CAPTCHA Me If You Can” campaigns directed users to attacker-controlled websites, prompting them to complete fraudulent authentication challenges. Victims unknowingly ran malicious PowerShell commands that installed the Lumma Stealer remote access trojan (RAT) on their devices.
HP Wolf Security researchers also identified additional threats, including attackers spreading an open source RAT known as XenoRAT. This malware features surveillance capabilities such as microphone and webcam capture. Using social engineering techniques, attackers convinced users to enable macros in Word and Excel documents, allowing them to exfiltrate data, log keystrokes, and control devices.
Another campaign outlined in the report involved attackers delivering malicious JavaScript code hidden inside Scalable Vector Graphic (SVG) images. When opened in web browsers, these images deployed seven different malware payloads, including RATs and infostealers. Attackers further utilized obfuscated Python scripts to install the malware, capitalizing on Python’s growing popularity among developers, particularly in the AI and data science fields.
“A common thread across these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations,” said Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab. “Even simple but effective defence evasion techniques can delay the detection and response of security operations teams, making it harder to contain an intrusion. By using methods like direct system calls, attackers make it tougher for security tools to catch malicious activity, giving them more time to operate undetected – and compromise victims endpoints.”
HP Wolf Security’s approach of isolating threats inside secure containers provided insights into the latest cybercriminal techniques. The company reports that HP Wolf Security customers have interacted with over 65 billion email attachments, web pages, and downloaded files without any reported breaches.
The report found that at least 11% of email threats identified by HP Sure Click bypassed one or more email gateway scanners. Executables were the most common malware delivery method at 43%, followed by archive files at 32%.
“Multi-step authentication is now the norm, which is increasing our ‘click tolerance.’ The research shows users will take multiple steps along an infection chain, really underscoring the shortcomings of cyber awareness training,” said Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc. “Organizations are in an arms race with attackers—one that AI will only accelerate. To combat increasingly unpredictable threats, organizations should focus on shrinking their attack surface by isolating risky actions – such as clicking on things that could harm them. That way, they don’t need to predict the next attack; they’re already protected.”
Image: Envato
This article, “HP Warns Fake CAPTCHAs Are Spreading Malware in Latest Threat Report” was first published on Small Business Trends