HP warns cybercriminals exploit ‘I Am Not a Robot’ CAPTCHAs to spread malware

HP Wolf Security research has uncovered multiple cyberattack campaigns in which attackers exploit the growing ‘click tolerance’ among users by deploying multi-step infection chains.

In its latest HP Threat Insights Report, HP Inc. highlights the increasing use of fake CAPTCHA verification tests, which allow cybercriminals to deceive users into unknowingly infecting their own systems.

The report emphasizes how attackers are capitalising on users’ familiarity with completing multiple authentication steps online—a trend HP refers to as ‘click tolerance.’

By analysing real-world cyberattacks, the HP Threat Insights Report helps organisations stay informed about the latest techniques cybercriminals use to bypass security measures and compromise PCs.

Based on data from millions of endpoints running HP Wolf Security, HP threat researchers have identified several notable campaigns.

One such campaign, dubbed CAPTCHA Me If You Can, reveals how attackers have crafted malicious CAPTCHAs.

Users are directed to attacker-controlled sites and prompted to complete fake authentication challenges.

Ultimately, victims are tricked into executing a malicious PowerShell command on their PCs, which installs the Lumma Stealer remote access trojan (RAT).

Another campaign demonstrates how attackers use an open-source RAT, XenoRAT, which has advanced surveillance capabilities, including access to webcams and microphones.

Through social engineering, attackers persuade users to enable macros in Word and Excel documents, allowing them to control devices, exfiltrate data, and log keystrokes, underscoring the persistent risk posed by Microsoft Office documents for malware deployment.

The report also details an attack method involving Python Scripts Used for SVG Smuggling.

In this campaign, attackers embed malicious JavaScript code inside Scalable Vector Graphics (SVG) images to evade detection.

Since browsers open these images by default, the embedded code executes automatically, deploying multiple payloads, including RATs and infostealers.

The attackers also use obfuscated Python scripts to install malware, leveraging Python’s widespread adoption, especially with the growing interest in AI and data science, to ensure broader compatibility across systems.

The Principal Threat Researcher at HP Security Lab, Patrick Schläpfer, noted that a common thread among these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations.

He explained that even simple but effective defense evasion tactics can hinder security operations teams, delaying detection and response efforts.

“By using methods like direct system calls, attackers make it tougher for security tools to detect malicious activity, giving them more time to operate undetected and compromise victims’ endpoints,” Schläpfer said.

HP Wolf Security provides unique insight into emerging cyber threats by isolating malware that evades detection tools on PCs.

This approach allows threats to be safely detonated within secure containers while preventing system compromise.

To date, HP Wolf Security customers have interacted with over 65 billion email attachments, web pages, and downloaded files without reported breaches.

The report, which examines data from the fourth quarter of 2024, highlights how cybercriminals continue to diversify their attack methods to bypass security tools that rely on detection.

Key findings include, at least 11 per cent of email threats identified by HP Sure Click successfully bypassed one or more email gateway scanners.

Executables were the most common malware delivery method (43%), followed by archive files (32%).

The Global Head of Security for Personal Systems at HP Inc., Dr. Ian Pratt, emphasised the impact of increasing ‘click tolerance’ due to the normalization of multi-step authentication.

“The research shows that users are willing to take multiple steps along an infection chain, highlighting the shortcomings of traditional cyber awareness training,” Pratt said.

He warned that organisations are in an ongoing arms race with cybercriminals—one that AI will only accelerate.

“To combat increasingly unpredictable threats, organizations should focus on shrinking their attack surface by isolating risky actions, such as clicking on potentially harmful links. This way, they don’t need to predict the next attack—they are already protected,” Pratt added.