Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault LevelBlue documents a multi-stage, fileless ClickFix campaign that compromises legitimate websites to present fake CAPTCHA prompts which coerce users into executing clipboard-pasted PowerShell commands, enabling in-memory payload delivery via Donut shellcode. The infrastructure is payload-agnostic and rotates multiple commodity stealers and a cryptocurrency clipboard hijacker across numerous C2 servers and fake crypto-exchange sites. #ClickFix #LummaStealer

A multi-stage stealer attack uses compromised legitimate sites to show fake CAPTCHA prompts, tricking users into running clipboard-pasted PowerShell commands delivering in-memory payloads via Donut shellcode. #ClickFix #CryptoHijack #LummaStealer