DNSFilter Research Finds Bad Actors Using Fake CAPTCHAs for Malware Attempts

Protective DNS helps companies stay safe from fileless malware

WASHINGTON, D.C. – Aug. 14, 2025 – DNSFilter released new research today that showcases how bad actors are taking advantage of fake CAPTCHA pages to attempt to scam unsuspecting individuals. 

One of DNSFilter’s managed service provider (MSP) customers discovered what first appeared to be an ordinary CAPTCHA prompt, but it turned out to be an attempt to deliver fileless malware known as Lumma Stealer. DNSFilter’s content filtering was able to stop it in its tracks, but researchers took a deeper look at the attempt to glean more detail. 

Researchers discovered that: 

• This particular fake CAPTCHA was interacted with 23 times on the DNSFilter network over a three-day period.

• 17% of people who encountered the fake CAPTCHA completed the steps on the screen to copy and paste it, resulting in an attempted malware payload delivery. 

• The fake CAPTCHA was first observed on a Greek banking site. Two other domains were associated with the malicious CAPTCHA: a brand-new Cloudflare Pages site (Human-verify-7u.pages.dev) that loads with an error message after clicking “I’m not a robot,” and Recaptcha-manual.shop, which loads outside of the browser after following the prompted commands.

When users encountered the fake CAPTCHAs, this is the prompt that popped up.

As bad actors continue to evolve their tactics, users need to remember that if something seems fishy, they shouldn’t click it. However, not all threats are obvious. Organizations need to ensure they’re providing solid cyber hygiene training for employees regularly, but they also need to have a strong strategy in place for blocking suspicious domains and using content filtering to help avoid potential malware and phishing attempts. 

Read more about how DNSFilter helped an MSP stop fake CAPTCHAs from luring their customers into inadvertent security scams in this case study. 

Will Strafach, Senior Director, Security Intelligence & Solutions, DNSFilter, said: “It’s important for users to think and look carefully before they click on anything or take an action on an untrusted site, but human error is inevitable. That’s why modern enterprises need protective DNS. DNSFilter identifies emergent and newly malicious sites, providing cybersecurity teams with detailed visibility and tighter control of their network, no matter where their end users happen to be.”

About the company:

DNSFilter is a cybersecurity company that protects every click, leveraging AI-driven content filtering and threat protection to block threats 10 days earlier than competitors. DNSFilter’s solution secures workers anywhere they are, helping to boost productivity, minimize compliance risk, and protect corporate brands on public Wi-Fi networks. Unlike traditional filtering solutions, DNSFilter deploys in minutes instead of days and is trusted by more than 43,000 organizations worldwide. Learn more about how DNSFilter is the first and last line of defense for corporate and hybrid networks at dnsfilter.com.

Media Contact

Shannon Van Every

Force4 Technology Communications

Shannon@force4.co