Sandworm Leverages Fake CAPTCHAs in Evolving ClickFix Attacks Against Ukraine
Russian military intelligence hackers, attributed to the notorious **Sandworm** group, are deploying a sophisticated new social engineering tactic. They are using fake CAPTCHA prompts on compromised websites to trick Ukrainian targets into executing malicious PowerShell commands, leading to system infection and potential further compromise.
The **Computer Emergency Response Team of Ukraine (CERT-UA)** has issued a warning regarding a significant shift in the initial access methods employed by the Kremlin-backed hacking group, **Sandworm**. Researchers observed this spring and summer that the group is increasingly adopting a variation of the social engineering technique known as **ClickFix**.
### The Deceptive CAPTCHA Scheme
Instead of traditional CAPTCHA verification, victims are directed to compromised websites displaying a fabricated security check. Users are instructed to copy and paste a **PowerShell** command directly into their **Windows** computers. This command then downloads initial malware, granting attackers persistent access and the ability to deploy additional malicious tools.
### Malware Arsenal: GhettoVibe, ScoutCurl, and More
**CERT-UA** identified **GhettoVibe** as the initial malware payload. This can be followed by **ScoutCurl**, a reconnaissance tool designed to collect extensive system details, installed software, files, and browser data. This information helps **Sandworm** assess the target's value for further exploitation. Researchers also noted the use of two malware loaders: **FluidLeech**, disguised as antivirus removal software, and **LoadLoop**.
During June and July, **CERT-UA** observed this **ClickFix** technique on over 10 compromised websites. While the number of compromised devices was not disclosed, the pattern indicates a concerted effort.
### Enduring Tactics and Broader Threat Landscape
Despite the adoption of **ClickFix**, **Sandworm** continues to rely on established social engineering methods. The group targets **Android** devices with malware disguised as security applications, often distributed through messaging apps. Once installed, this malware can illicitly collect contacts, files, device information, and real-time location data.
Historically, **Sandworm** has distributed backdoored copies of **Microsoft Windows** and **Office** installers via torrent sites, a tactic that has allowed them to establish footholds within Ukrainian government networks, leading to destructive cyberattacks.
Another persistent tactic involves targeting victims through the **Signal** messaging app, convincing them to install bogus antivirus software. **CERT-UA** notes that hackers often spend weeks building trust with military personnel and other targets before prompting them to execute malicious files, sometimes even offering monetary incentives.
### The Persistent Threat of Sandworm
**Sandworm**, linked by Western governments and cybersecurity researchers to Russia's military intelligence agency, the **GRU**, has been active since at least 2013. The group is responsible for some of Russia's most impactful destructive cyberattacks, including devastating assaults on Ukraine's power grid.