The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Malware Leverages CAPTCHA to Bypass Browser Warning

Nov 23, 2022 1:00:33 PM / by PolySwarm Tech Team

captcha malware_BlogRelated Families: Gozi (Ursnif)
Verticals Targeted: Financial

Executive Summary

Bleeping Computer recently reported on a malware campaign that uses CAPTCHA to bypass browser warnings and deliver Gozi. This technique appears to be a novel TTP for threat actors.

Key Takeaways

  • A new malware campaign was observed leveraging CAPTCHA to trick victims into bypassing browser warnings.
  • The campaign uses a decoy video to download a malicious file and uses a victim’s interaction with a fake reCAPTCHA to bypass browser warnings, accepting the file download. 
  • The file downloaded is an executable that leads to the delivery of the Gozi payload.

The Campaign

Bleeping Computer recently reported on a malware campaign leveraging CAPTCHA to trick victims into bypassing browser warnings. The campaign uses this technique to deliver a Gozi payload. This technique appears to be a novel TTP for threat actors.

The suspicious URL used in the campaign downloads a file when a victim attempts to watch an embedded YouTube video. While the video will appear legitimate to the victim, when the victim presses the play button, a file named console-play.exe is downloaded in the background.

Chrome browsers will warn the victim that the file is potentially malicious due to it being an executable. To bypass this warning, the threat actors use a reCAPTCHA to trick the victim into pressing B, S, Tab, A, F and Enter. While the letter keys do nothing, pressing the Tab key Tab targets the Keep option on the browser warning, and Enter causes the browser to download the file to the victim’s computer. The video on the page will then play, convincing victims of the completed CAPTCHA-initiated playback.

The goal of this campaign is to deliver a Gozi (Ursnif) payload. If the victim runs the executable, a folder is created, and numerous files are installed. All of the installed files are decoys, with the exception of BouncyDotNet.exe. BouncyDotNet.exe is launched and reads strings from Windows Registry to launch PowerShell commands. The commands compile a .NET application that launches the Gozi DLL.

What is Gozi?

Gozi, also known as Ursnif, is an info stealer and was once the most widely spread banking trojan. It has been active in the wild since at least 2015 and was made publicly available on GitHub after the source code was leaked. Gozi is capable of stealing information, including computer data, computer name, OS version, and user credentials. It communicates with a C2 to download additional components or payloads and allows remote execution of threat actor commands. Newer Gozi variants have been observed operating as a backdoor to distribute other malware, such as ransomware.


PolySwarm has a Gozi sample associated with this campaign.


You can use the following CLI command to search for all Gozi samples in our portal:

$ polyswarm link list -f Gozi

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Malware, CAPTCHA, TTPs, Gozi, Ursnif

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts