Copy and Paste buttons
Image: Planet Volumes via Unsplash

Sandworm hackers have a CAPTCHA trick for Ukrainians

Russian military intelligence hackers have begun using fake CAPTCHA prompts on compromised websites to trick Ukrainian targets into infecting their own computers, researchers have found.

In a report published Wednesday, Ukraine's computer emergency response team (CERT-UA) said it observed a shift this spring and summer in how the Kremlin-backed hacking group Sandworm gains initial access to the systems of Ukrainian targets.

The agency said the group has increasingly adopted a social engineering technique known as ClickFix, in which victims are directed to compromised websites displaying a fake CAPTCHA security check designed to distinguish humans from computers.

Rather than verifying they are human, users are instructed to copy and paste a PowerShell command into their Windows computers. The command downloads malware that allows hackers to maintain access to the computer and deploy additional malicious tools later.

The initial malware, dubbed GhettoVibe, can be followed by a reconnaissance tool called ScoutCurl, which collects information about the infected computer, including system details, installed software, files and browser data, to help attackers determine whether the target is worth further compromising. Researchers also observed two malware loaders: FluidLeech, disguised as antivirus removal software, and LoadLoop.

CERT-UA said it observed the ClickFix technique on more than 10 compromised websites during June and July. The agency did not report the number of compromised devices.

Despite its shift toward ClickFix attacks, Sandworm continues to rely on familiar social engineering methods as well.The agency warned that the group targets Android devices with malware disguised as security applications and distributed through messaging apps. Once installed, the malware can secretly collect contacts, files, device information and real-time location data.

For years, one of Sandworm's primary tactics involved distributing backdoored copies of Microsoft Windows and Office installers through torrent sites, allowing the group to quietly compromise victims who downloaded pirated software.

CERT-UA said that in at least one case, such an infection enabled the hackers to establish a foothold inside a Ukrainian government network before launching a destructive cyberattack against a central executive authority.

Another tactic Sandworm has relied on throughout Russia's war in Ukraine is targeting victims through the Signal messaging app by convincing them to install bogus antivirus software. According to CERT-UA, the hackers often spent weeks building trust with military personnel and other targets before asking them to run malicious files, sometimes even offering cash payments in exchange for following their instructions.

Sandworm, which Western governments and cybersecurity researchers link to Russia's military intelligence agency, the GRU, has been active since at least 2013 and is responsible for some of Russia's most high-profile destructive cyberattacks, including attacks on Ukraine's power grid.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.