Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

📟 News

Date: 23/01/2025

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code.

This attack was first spotted by VX-underground specialists; this is a new variant of the ClickFix (ClearFake or OneDrive Pastejacking) attack vector. Various ClickFix modifications are pretty common nowadays. Typically, victims are tricked into visiting fraudulent websites and running malicious PowerShell commands, thus, manually infecting their systems with malware. For instance, malefactors require users to pass a fake CAPTCHA test or a verification procedure – allegedly, to solve display problems or join the channel.

Currently, the attackers are exploiting the recent news that US President Donald Trump has pardoned Ross Ulbricht, founder of the darknet marketplace Silk Road shut down in 2013.

Scammers use fake X (formerly Twitter) accounts to impersonate the Free Ross movement and direct users to supposedly official Ulbricht Telegram channels.

After clicking on such a link, victims are prompted to pass a verification test called Safeguard Captcha.

This Telegram app automatically copies a PowerShell command to the victim’s clipboard, and the user is prompted to open the Windows Run dialog and execute it to pass authentication.

According to Bleeping Computer, the code from the clipboard downloads and executes a PowerShell script that, in turn, downloads a ZIP archive from the openline[.]cyou website. This archive contains multiple files, including identity-helper.exe, which, according to VirusTotal, is nothing else but the Cobalt Strike downloader.

Security experts remind that under no circumstances should you run commands copied from the Internet in the Windows Run dialog box or in the PowerShell terminal (especially if you have no idea of what’s going on); while any obfuscation should ring the alarm bell.

Related posts:
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →