20 Mar / 2025
Cyber Security
What is happening?
Since the start of 2025, Cythera has observed a sharp increase in the volume of InfoStealer malware campaigns, deployed via client-side attacks.
Attackers are leveraging the low-friction approach of directing users to paste malicious commands into the windows “Run” dialog, using social engineering via a fake CAPTCHA prompt. It first directs the user to press the Windows Key + R keys, simultaneously opening the “Run” dialog. The user is then instructed to paste the malicious commands in, using CTRL+V and executing them.
The aim of this campaign is to establish code execution on the victim’s device, enumerating credentials and stored sessions, before exfiltrating them back to the threat actor. Due to the simplicity and minimal user interaction required, this attack method has proven to be highly effective. As a result, we are seeing a significant increase in the frequency of this approach.
An example of the attack is the following:
How does it work?
Once the user is prompted to solve the fake CAPTCHA, they are asked to paste a payload into the “Run” window. Oftentimes, the payload is sized in a specific way that the only visible component is a string appearing to align with solving the CAPTCHA.
In reality, the full command being executed will contact an attacker-controlled server to execute further stages of commands
What can you do?
Disable the Win + R Hotkey:
The simplest mitigation for this type of campaign involves disabling the Windows + R key hotkeys, through either a Group Policy Object or registry key. This has been found to be effective, as the friction involved in having the user click the “Run” command, as opposed to just pressing two keys, raises more user concern, as it is clear they are being asked to run something.
An example registry key mitigation set per-user is the following:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "DisabledHotkeys"="R"
Cythera provides automatic patching of this feature via our EndpointPatch solution powered by Automox, for managed customers our team will reach out with further details.
Deploy an effective EDR solution:
This type of malware falls under the broader category of “client-side attacks”, relying on the abuse of Windows Scripting interpreters, such as PowerShell or MSHTA. Our managed EndpointProtect solution, powered by CrowdStrike Falcon, is effective at detecting and blocking instances where a user is attempting to comply with the threat actor’s instructions.
For further information on how Cythera can protect your organisation from these types of attacks, please contact your account manager or sales@cythera.com.au for further information.
Cythera is committed to protecting our customers from cyber-threats and ensuring business continuity. If you have any questions or concerns about the above attacks, recent exposures or potential impact to your IT systems please reach out.
