News
This CAPTCHA scam tricks you into downloading malware
A new scam is making the rounds on the internet, where a CAPTCHA popup asks users to prove they’re not a robot by performing three simple steps, which actually downloads malware to the user’s PC.
Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.
Look, we’ve all done dumb things on the internet. But there’s a new scam making the rounds that’s so stupidly brilliant that it’ll make you want to disconnect your PC and go live in the woods.
Imagine yourself mindlessly browsing the web when suddenly – a CAPTCHA popup appears. You know the drill: prove you’re not a robot, click the box, and maybe identify some crosswalks. Except this time, it’s different. Instead, it gives you three simple steps:
- Press Windows key + R
- Press Ctrl + V
- Hit Enter
If your scam radar isn’t blaring right now, it should be.
According to Malwarebytes‘ latest research, this seemingly innocent CAPTCHA is actually a devious little trojan horse that’s been spreading faster than a Reddit meme. And the worst part? People are actually falling for it.
Here’s where it gets clever (in an evil genius sort of way): When you click that innocent-looking “I’m not a robot” box, the site secretly copies some text to your clipboard.
The text starts with something like “I am not a robot – reCAPTCHA Verification ID: XXXX” – but that’s just the tip of the iceberg.
Hidden beyond what you can see in the Windows Run command window is a sneaky command that downloads whatever flavor of malware the attackers are serving that day.
According to recent reports from Forbes and Qualys, this scam has been delivering everything from the notorious Lumma Stealer to the Amadey Trojan.
These nasties are designed to hunt down your personal info and beam it back to some sketchy server.
This attack works because it plays on multiple levels of human psychology:
- Our Pavlovian response to CAPTCHAs (we’ve all been trained like dogs to prove we’re human)
- The fact that most people under 30 have no idea what the Windows Run command even is
- Our collective trust in familiar security measures like CAPTCHA
- The ancient Windows UI that hasn’t changed since Bill Gates had a full head of hair
Sure, Windows Defender and most modern browsers should catch this nonsense before it causes too much damage.
But according to security researchers, these attacks are still successful enough that cybercriminals keep rolling them out with new variations.
It’s like the Nigerian prince scam of 2025, except instead of promising you millions, it’s stealing your passwords and probably your dignity too.
How to Not Get Owned
- First off, if any CAPTCHA asks you to open the Run command (Win + R), it’s about as legitimate as a $3 bill
- Keep your Windows security up to date (yes, those annoying updates actually do something)
- Use an antivirus that doesn’t suck (Malwarebytes caught this one early, just saying)
- Maybe don’t click on those “Hot Singles in Your Area” ads? Just a thought.
The bottom line: If a website asks you to jump through hoops to prove you’re human, maybe take a second to wonder why it’s working so hard to convince you it’s legitimate.
Because in 2025, the robots aren’t the ones we need to worry about – it’s the humans behind them.
What do you think about this sneaky CAPTCHA scam? Have you or someone you know ever encountered something similar? We’d love to hear your thoughts and experiences! Share your insights in the comments below.
Follow us on Flipboard, Google News, or Apple News
