HHome IT Help
Back to news
Home IT Help guide

Fake reCAPTCHA pages are tricking people into running PowerShell malware

A nasty Windows malware trick is doing the rounds again, and it looks believable enough to catch careful people.

You land on a website and get what appears to be a normal "I am not a robot" or reCAPTCHA-style check. Instead of asking you to click traffic lights or buses, the page tells you to do something odd: press Windows + R, paste a command, then press Enter to finish verification.

That is the red flag.

Real CAPTCHA checks do not ask you to open the Windows Run box. They do not ask you to paste commands. They do not need PowerShell, Windows Terminal, Command Prompt, or anything similar.

If a website asks you to press Windows + R as part of a verification check, close the page.

What is actually happening?

This attack is commonly called ClickFix. The page pretends there is a browser, CAPTCHA, or verification problem that only you can "fix".

In the background, the page copies a command to your clipboard. When it tells you to press Windows + R and paste, you are not pasting a harmless verification code. You may be pasting a PowerShell or Windows Terminal command that downloads and runs malware.

Security researchers have seen this technique used to install information stealers and remote access tools. Microsoft has also reported newer ClickFix campaigns using Windows Terminal and PowerShell as part of the infection chain, including campaigns linked to Lumma Stealer.

Once run, the malware may try to steal browser passwords, saved cookies, cryptocurrency wallet data, session tokens, files, or anything else useful to the attacker. Some variants also set up persistence so they can survive a reboot.

What the fake page may say

The wording changes, but the pattern is usually similar:

  • "Verify you are human"
  • "Complete this verification step"
  • "Press Windows + R"
  • "Press Ctrl + V"
  • "Press Enter"
  • "Run this command to continue"
  • "Fix browser verification"
  • "Open PowerShell" or "Open Terminal"

Some pages copy the command automatically when you click a fake checkbox. Others show a fake error and tell you to copy the "fix" manually.

The important part is not the exact wording. It is the request to run something on your computer.

Why this works

This attack does not need a clever software exploit. It relies on habit.

People are used to annoying verification checks. They are used to clicking through cookie banners, login prompts, and browser pop-ups. If the page looks polished enough, the extra instruction can feel like one more irritating step rather than a serious warning.

That is why this trick is effective. The attacker gets the victim to do the dangerous part themselves.

What to do if you see one

If a website asks you to open the Run box, PowerShell, Command Prompt, or Windows Terminal to prove you are human:

  1. Do not follow the instructions.
  2. Close the tab.
  3. If the site was sent by email, text, Discord, Facebook, or another message, do not reopen the link.
  4. Warn the person who sent it, especially if it came from someone you know. Their account may be compromised.

You can also clear your clipboard by copying a harmless bit of text, such as a word from Notepad, before doing anything else.

What to do if you already ran it

If you pasted the command and pressed Enter, treat it as a possible malware infection.

Do this from a different device if possible:

  1. Disconnect the affected PC from the internet. Turn off Wi-Fi or unplug the network cable.
  2. Change important passwords, starting with email, banking, Microsoft, Google, Apple, social media, and password manager accounts.
  3. Sign out of other sessions where the service allows it.
  4. Run a full scan with Microsoft Defender or your usual security product.
  5. Check for unknown startup items, scheduled tasks, browser extensions, and recently installed programs.
  6. If sensitive accounts were logged in on that PC, consider the session cookies exposed even if the password was not saved.

For business devices, report it to IT straight away. Do not try to quietly clean it up yourself. The command line history, downloaded files, and process logs may help work out what ran.

Simple rule to remember

CAPTCHA checks happen inside the browser.

If a website tells you to leave the browser and run a Windows command, it is not a CAPTCHA. It is a trap.

Sources: Microsoft Security Blog, The Hacker News, Huntress, Pen Test Partners
Microsoft Security Blog The Hacker News Huntress Pen Test Partners
Ask for help

Need a hand?

Worried you may have clicked something?

If you have seen this fake verification trick, or you think you may have run something unsafe, Home IT Help can help you check the device and decide what to do next.

Call now 07921 864432 Find us on Facebook Messenger Email us, or use the form hello@homeithelp.uk

We will use these details only to understand the problem and get back to you.