Russian hackers use fake CAPTCHA tests to spread dangerous malware
NEWYou can now listen to Fox News articles!
Russian state-backed hackers have stepped up their game with new malware families that hide behind fake CAPTCHA tests. The group known as Star Blizzard or ColdRiver uses ClickFix attacks to trick people into launching dangerous malware that now masquerades as a simple “I’m not a robot” check.
These attacks represent a new wave of cyber deception targeting governments, journalists and NGOs with malware that changes faster than researchers can analyze it.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent safety alerts and special deals straight to your inbox. You’ll also get instant access to my Ultimate Scam Survival Guide — free when you join me CYBERGUY.COM newsletter
ClickFix trap: A new kind of social engineering
Google’s Threat Intelligence Group (GTIG) has observed for the first time that hackers are using the LostKeys malware in espionage operations. Once the researchers uncovered this, the attackers moved quickly, abandoning LostKeys within a week and using new tools: NoRobot, YesRobot, and MaybeRobot.
NORTH KOREAN HACKERS ARE USING ARTIFICIAL INTELLIGENCE TO CREATE MILITARY IDENTIFICATIONS
The ClickFix attack works like this: The victim arrives at a fake CAPTCHA page that looks identical to the real one. When they click to prove they are human, the system silently launches NoRobot, infecting the computer and establishing persistence through registry changes and scheduled tasks.
A fake “I’m not a robot” CAPTCHA can launch stealth malware in seconds. (image alliance via Jens Büttner/Getty Images)
Russian ‘robot’ inside malware chain
Russian hackers built their latest attack around a chain of interconnected malware families that are revealed step by step when the victim clicks on the fake CAPTCHA.
NoRobot: Entry point
NoRobot serves as the first stage of infection. It prepares the environment by downloading files, changing registry keys, and creating tasks to ensure it remains active even after a reboot.
YesRobot: Short experiment
Hackers briefly tested YesRobot, a Python-based backdoor, but quickly abandoned it after realizing that the entire Python installation attracted unwanted attention from defenders.
OVER 3,000 YOUTUBE VIDEOS PROVIDE MALWARE POSTED AS FREEWARE
MaybeRobot: New weapon
MaybeRobot replaced YesRobot as a more stealthy PowerShell-based tool. It can download and run payloads, run command prompts, and send stolen data back to attackers. Researchers say MaybeRobot’s development has now stabilized, allowing hackers to focus on improving NoRobot’s privacy.
How do these attacks continue to evolve?
Security analysts noticed that the distribution chain of the malware changed several times. At some point, “greatly simplified” However, the situation became complicated again as attackers began splitting the cryptographic keys into multiple files. This strategy makes it difficult for researchers to reconstruct how infections work. Without every piece of the puzzle, the final malware payload cannot be properly decrypted.
Who are the targets of Russian malware?
ColdRiver’s operations were linked to the Russian intelligence service (FSB) and focused on espionage and data theft for years. The group has consistently targeted Western governments, think tanks, media organizations, and NGOs to steal sensitive information and gain strategic insight.
Despite sanctions, infrastructure shutdowns, and public exposure, hackers continue to thrive. Their rapid transition from LostKeys to NoRobot and MaybeRobot shows a highly organized and well-funded operation that could be retooled in a matter of days.
Russian hackers are now using realistic CAPTCHA traps to spread new strains of “Robot” malware, researchers warn. (Kristian Tuxen Ladegaard Berg/NurPhoto via Getty Images)
CAPTCHAGEDDON A SYMPTOM OF A DANGEROUS CHANGE
Even if you’re not a government or corporate target, these evolving attacks are a reminder that everyone who connects to the internet is at some level of risk. Compromised personal accounts, reused passwords or infected email attachments can make ordinary users an easy entry point for larger campaigns.
Although these threats aim high, their impact extends far and wide. Awareness and careful online behavior is important for everyone.
How to protect yourself from Russian malware disguised in fake CAPTCHAs?
These practical steps can help you protect your data and devices from the growing wave of Russian malware using fake CAPTCHA pages.
1) Beware of unexpected CAPTCHA challenges
Fake “I’m not a robot” pages are the main lure of this Russian malware campaign. If you are directed to a CAPTCHA on an unfamiliar site or after clicking a suspicious link, stop immediately. Real CAPTCHAs generally only appear on trusted websites and not on random pop-ups or login pages. When in doubt, close the page and verify the URL before taking any action.
2) Use strong antivirus software
Choose reputable antivirus protection that not only scans for known malware but also monitors suspicious behavior. Because “robot” malware evolves quickly, behavior-based detection helps stop new variants before signature updates become available. Enable automatic updates and schedule daily scans to catch infections early. The best way to protect yourself from malicious links that install malware and potentially access your private information is to have strong antivirus software installed on all your devices. This protection also keeps your personal information and digital assets safe by alerting you to phishing emails and ransomware scams.
Get my picks for the 2025 best antivirus protection winners for your Windows, Mac, Android, and iOS devices at: cyberguy.com
META ACCOUNT SUSPENSION SCAM HIDES FILEFIX MALWARE
3) Consider a data removal service to reduce exposure
Many cyber attacks start with publicly available data. Using a data removal or privacy protection service helps remove your personal information from data broker sites. By reducing what hackers can find online, you make it harder for them to adapt phishing emails or social engineering traps that lead to malware infections.
While no service can guarantee complete removal of your data from the internet, a data removal service is truly a smart choice. They’re not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. This is what gives me peace of mind and has proven to be the most effective way to delete your personal data from the internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data obtained from breaches with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and run a free scan to see if your personal information is already on the internet by visiting: cyberguy.com
Take advantage of free scanning to find out if your personal information is already on the internet: cyberguy.com
4) Keep them all software and operating systems updated
The malware used in these attacks exploits known vulnerabilities in unpatched systems. Always apply updates as soon as they are released. Turn on automatic updates for your browser, antivirus, and operating system. Outdated software is one of the easiest entry points for Russian hackers and other sophisticated groups.
Cyber experts say awareness is the best defense as these evolving attacks target both organizations and everyday users. (Kurt “CyberGuy” Knutsson)
AI FLAW LEAKED GMAIL DATA AHEAD OF OPENAI PATCH
5) Use multi-factor authentication (MFA) wherever possible
Even if a hacker steals credentials through malware or phishing, M.F.A. adds another layer of protection. Require this for email, VPNs, and cloud services. This simple step can block most unauthorized access attempts.
6) Back up data regularly
The ransomware payload could be the next evolution of this malware family. Back up critical data to both an external drive and cloud storage.
Kurt’s important takeaways
The rise of these malware campaigns in Russia is a reminder that cybercriminals are always one step ahead. The seemingly harmless “I’m not a robot” test may actually hide a serious threat. Protecting yourself isn’t just about having antivirus software; It’s about staying alert to the little online details that can make a big difference. Keep your devices updated, investigate unexpected pop-ups, and use reliable tools to protect your personal information. With a little care and consistency, you can defeat even the most deceptive attacks.
What concerns you most about today’s online security risks? Let us know by writing to us. cyberguy.com
CLICK TO DOWNLOAD FOX NEWS APPLICATION
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent safety alerts and special deals straight to your inbox. You’ll also get instant access to my Ultimate Scam Survival Guide — free when you join me CYBERGUY.COM newsletter
Copyright 2025 CyberGuy.com. All rights reserved.
