Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

📟 News

Date: 23/01/2025

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code.

This attack was first spotted by VX-underground specialists; this is a new variant of the ClickFix (ClearFake or OneDrive Pastejacking) attack vector. Various ClickFix modifications are pretty common nowadays. Typically, victims are tricked into visiting fraudulent websites and running malicious PowerShell commands, thus, manually infecting their systems with malware. For instance, malefactors require users to pass a fake CAPTCHA test or a verification procedure – allegedly, to solve display problems or join the channel.

Currently, the attackers are exploiting the recent news that US President Donald Trump has pardoned Ross Ulbricht, founder of the darknet marketplace Silk Road shut down in 2013.

Scammers use fake X (formerly Twitter) accounts to impersonate the Free Ross movement and direct users to supposedly official Ulbricht Telegram channels.

After clicking on such a link, victims are prompted to pass a verification test called Safeguard Captcha.

This Telegram app automatically copies a PowerShell command to the victim’s clipboard, and the user is prompted to open the Windows Run dialog and execute it to pass authentication.

According to Bleeping Computer, the code from the clipboard downloads and executes a PowerShell script that, in turn, downloads a ZIP archive from the openline[.]cyou website. This archive contains multiple files, including identity-helper.exe, which, according to VirusTotal, is nothing else but the Cobalt Strike downloader.

Security experts remind that under no circumstances should you run commands copied from the Internet in the Windows Run dialog box or in the PowerShell terminal (especially if you have no idea of what’s going on); while any obfuscation should ring the alarm bell.

Related posts:
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →