Fake CAPTCHA Targets Users Seeking Pirated Games and GitHub Repositories

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

A fake CAPTCHA test is targeting gamers looking to download pirated PC games, according to research from McAfee.

McAfee researchers say the fake CAPTCHAs pop-ups appear on dubious websites that falsely claim to provide access to cracked or pirated PC games, such as Hogwarts Legacy. The second target group is GitHub contributors who are being sent phishing emails pretending to come from Github that prompt them to resolve a fake “security vulnerability.” These emails include links directing them to the same fake CAPTCHA pages.

“When users search the internet for free or cracked versions of popular video games, they may encounter online forums, community posts, or public repositories that redirect them to malicious links,” McAfee said.

Once on the site, users are asked to complete what looks like a CAPTCHA test meant to verify their identity as human visitors. In reality, this fake CAPTCHA is a tactic to trick users into installing the Lumma Stealer malware.

The fake CAPTCHA asks users to click on “Verify you are a human” or “I am not a robot” buttons, which copies a malicious script to the clipboard. It then prompts them to press “Windows + R” to open the run dialog box, and finally, it instructs them to press “CTRL + V” and hit enter, which essentially pastes a PowerShell script into the run dialog.

The infostealing malware installed on your PC targets victims’ account credentials, passwords, and even crypto wallets.

If you’re thinking this doesn’t resemble a typical CAPTCHA, you’re correct. That said, these tests are evolving, so it’s getting harder to identify the real from the fake ones.

“The ClickFix infection chain demonstrates how cybercriminals exploit common user behaviors—such as downloading cracked software and responding to phishing emails—to distribute malware like Lumma Stealer,”  McAfee says. “By leveraging fake CAPTCHA pages, attackers deceive users into executing malicious scripts that bypass detection, ultimately leading to malware installation.”

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment