Alerta de Segurança: Hackers Atacam Carteiras Cripto com Campanha Falsa de reCAPTCHA

Nova campanha de phishing disfarçada de verificações reCAPTCHA está roubando dados de navegadores e drenando carteiras de criptomoedas.

Método de Ataque Sofisticado

Os criminosos criaram pop-ups falsos que imitam perfeitamente os sistemas de verificação do Google, enganando usuários para entregar credenciais e chaves privadas. A técnica bypassa medidas tradicionais de segurança com uma simplicidade assustadora.

Impacto no Mercado Cripto

Enquanto investidores perdem fundos, os preços das principais criptomoedas mostram resiliência - porque no mundo das finanças descentralizadas, cada desastre é só uma oportunidade de compra disfarçada, certo?

Proteja Seus Ativos

Use hardware wallets, verifique URLs manualmente e nunca clique em pop-ups de verificação inesperados. A segurança cripto requer vigilância constante - ou então você acaba pagando o 'imposto dos imprevistos' mais caro do mercado.

ClickFix campaign uses reCAPTCHA to sneak malware in

Per eSentire’s research published last Thursday, hackers are luring victims using fake websites and pop-ups that look like “security checks,” including fraudulent reCAPTCHA verification boxes and counterfeit Cloudflare Turnstile pages. 

The deceptive interfaces prompt users to “fix” a supposed issue, with the instructions causing them to execute harmful commands without seeing the risks. Once the initial command is run, Amatera Stealer is delivered first, followed by the installation of NetSupport Manager, which allows hackers to monitor and control the compromised machine as though they were physically present.

Amatera Stealer is not an entirely new threat but the latest evolution of ACR Stealer, also known as AcridRain. The earlier version first appeared as a malware-as-a-service product on hacker forums in 2024, which several users deployed through subscription packages.

Sales of ACR were paused in mid-2024 when its developer, known online as SheldIO, sold the malware’s source code. Despite the sale announcement, the group said it was “not the end” of its development. Researchers now believe Amatera is the direct successor to ACR, rebuilt with more capabilities and new evasion techniques.

Amatera, spotted by security auditing firm Proofpoint in June, is available on a subscription basis from $199 per month to $1,499 annually.

“Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion strategies like WoW64 SysCalls to circumvent user-mode hooking mechanisms used by sandboxes, Anti-Virus solutions, and EDR products,” eSentire said.

The malware is written in C++ and is capable of harvesting saved passwords, card details, browsing histories, and files from browsers like Chrome, Brave, Edge, Opera, Firefox, and specialized platforms such as Tor Browser and Thunderbird. 

Multi-stage Windows PowerShell loaders hiding malware

According to eSentire’s threat analysis, the Amatera’s infection process is built on several layers of obfuscated PowerShell commands. 

TRU researchers saw one phase decrypting subsequent payloads using an XOR process on the string “AMSI_RESULT_NOT_DETECTED,” a term associated with Microsoft’s Anti-Malware Scan Interface. The loader’s developer could have selected the phrase intentionally to confuse researchers conducting dynamic analysis.

While Amatera is the most common payload delivered in these campaigns, eSentire also documented cases where the same loader was used to deploy other infostealers, including Lumma and Vidar. Some samples lacked configuration parameters needed to run multi-stage loaders, in which hackers chose to deploy NetSupport Manager directly instead.

eSentire and other security firms have documented email campaigns distributing Visual Basic Script files disguised as invoices. When opened, the files executed batch scripts that initiated PowerShell loaders delivering XWorm.

Other campaigns involved compromised websites that redirected visitors to fake Cloudflare verification pages, which mimic ClickFix prompts. This activity has been tied to an operation known by names including SmartApeSG, HANEYMANEY, and ZPHP, all coming with NetSupport RAT as their final payload.

Hackers had built fraudulent Booking.com websites that hosted counterfeit CAPTCHA checks, instructing users to open the Windows Run dialog and execute a command, and directly installing a credential-stealing script onto infected systems.

Some of the phishing campaigns connected to these malware deliveries are using a new phishing kit known as Cephas. Cephas, according to cybersecurity solutions firm Barracuda, uses an advanced obfuscation method that inserts invisible characters into the source code of phishing pages, difficult for automated scanners to detect.

“The kit obscures its code by creating random invisible characters within the source code that help it evade anti-phishing scanners and obstruct signature-based YARA rules from matching the exact phishing methods,” Barracuda wrote in its analysis last week.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.