Full Report
Rather than verifying they are human, the CAPTCHA users are instructed to copy and paste a PowerShell command into their Windows computers.
Analysis Summary
# Threat Actor: Sandworm
## Attribution & Identity
* **Identification:** Unit 74455 of the Russian Main Intelligence Directorate (GRU).
* **Aliases:** Voodoo Bear, BlackEnergy, TeleBots, Iron Viking.
* **Known Associations:** Russian Military Intelligence (GRU).
## Activity Summary
In mid-2026, Sandworm shifted its initial access tactics toward a social engineering technique known as **"ClickFix."** Operating primarily in June and July, the group compromised over 10 websites to deliver fake CAPTCHA prompts. Instead of a standard verification, these prompts tricked Ukrainian users into executing malicious PowerShell commands. This campaign is part of a broader, long-term effort by Sandworm to maintain persistence within Ukrainian infrastructure for espionage and destructive purposes.
## Tactics, Techniques & Procedures
* **Social Engineering (ClickFix):** Presenting fake CAPTCHA security checks on compromised websites to trick users into manual code execution.
* **Command and Scripting Interpreter:** Instructing users to copy and paste malicious PowerShell commands into the Windows Terminal (T1059.001).
* **Trust Building:** Engaging in multi-week social engineering via messaging apps (Signal), sometimes offering cash payments to build rapport before delivery of malware.
* **Software Supply Chain/Torrent Distribution:** Distributing backdoored installers of pirated Microsoft Windows and Office software via torrent sites.
* **Masquerading:** Disguising malware as legitimate security applications or antivirus removal tools (T1036).
* **Mobile Targeting:** Distributing Android-specific malware via messaging apps to collect location and contact data.
## Targeting
* **Sectors:** Ukrainian Government (Central Executive Authorities), Military Personnel, and Critical Infrastructure (Power Grid).
* **Geography:** Ukraine.
* **Victims:** Ukrainian government networks and military personnel.
## Tools & Infrastructure
* **GhettoVibe:** The primary malware downloader used in the ClickFix campaigns to establish initial access.
* **ScoutCurl:** A reconnaissance tool used to collect system details, installed software, and browser data.
* **FluidLeech:** A malware loader disguised as antivirus removal software.
* **LoadLoop:** A secondary malware loader.
* **Android Malware:** Custom tools for intercepting contacts, files, and real-time GPS location.
* **Infrastructure:** Defanged compromised websites (Specific domains not listed in the text, but noted as >10 instances).
## Implications
Sandworm remains one of the most sophisticated and dangerous state-sponsored threats due to its ability to blend high-end technical exploits with simple but highly effective social engineering. The shift to "ClickFix" demonstrates an adaptability to bypass browser-based security prompts by moving the execution burden to the user. Their success in breaching government networks via pirated software highlights a persistent vulnerability in environments where cost or availability leads to the use of unofficial software channels.
## Mitigations
* **User Training:** Educate employees to never copy and paste commands from websites into PowerShell or CMD, specifically emphasizing that no legitimate CAPTCHA requires code execution.
* **Host-Based Protections:** Implement Constrained Language Mode for PowerShell and monitor for unusual PowerShell execution patterns.
* **Software Policy:** Strictly prohibit the use of pirated software and torrenting on corporate/government networks.
* **Endpoint Detection (EDR):** Deploy EDR solutions to flag and block the execution of suspicious scripts (like GhettoVibe/ScoutCurl) and monitor for unauthorized exfiltration of browser data.
* **Mobile Security:** Implement Mobile Device Management (MDM) to prevent the installation of unsigned or third-party APKs on devices used by military or government personnel.