{ "id": "e07cbfd2-82f1-4675-8297-94c48935d135", "created_at": "2026-04-06T00:12:44.830963Z", "updated_at": "2026-04-10T03:36:36.879647Z", "deleted_at": null, "sha1_hash": "0f2ceaf3241fcf65fdcc382930415c3b50e59d66", "title": "To evade detection, hackers are requiring targets to complete CAPTCHAs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82229, "plain_text": "To evade detection, hackers are requiring targets to complete\r\nCAPTCHAs\r\nBy Dan Goodin\r\nPublished: 2020-06-18 · Archived: 2026-04-05 20:36:07 UTC\r\n“CHIMBORAZO, the group behind Dudear campaigns that deploy the info-stealing Trojan GraceWire, evolved\r\ntheir methods once again in constant pursuit of detection evasion,” Microsoft’s Security Intelligence group wrote\r\nin a Tweet on Wednesday. “The group is now using websites with CAPTCHA to avoid automated analysis.”\r\nThe attack flow looks like this:\r\nCredit: Microsoft Security Intelligence\r\nCredit: Microsoft Security Intelligence\r\nIn a campaign the Security Intelligence group covered in January, Chimborazo used an IP traceback service to\r\ntrack the IP addresses of machines that download the malicious Excel file, presumably to also evade automated\r\ndetection. Back then, it was the first time Microsoft had seen Chimborazo use redirector sites.\r\nJérôme Segura, head of threat intelligence at security provider Malwarebytes, said using CAPTCHAs in malware\r\nattacks is rare but not unprecedented. He pointed to this tweet from late December that was doing the same thing.\r\nIn that case attackers required targets to complete a CAPTCHA that was a knock off of Google’s reCAPTCHA\r\nservice. While fake, it served the same purpose as a real one—to thwart automated analysis by requiring a real\r\nperson to download the file.\r\nThe CAPTCHA spotted by Microsoft may also be a fake reCAPTCHA. The evidence: as seen in the image at the\r\ntop of this post, it says reCAPTCHA and below that claims to provide “DDoS protection by Cloudflare.” Those\r\nhttps://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/\r\nPage 1 of 2\n\nare two separate services. (Then again, as one commenter points out, it’s possible the attackers used both services\r\nseparately.) Google representatives didn’t immediately respond to an email seeking comment for this post.\r\nPeriodically changing up attack routines is one way attackers stay ahead of defenders, creating a never-ending\r\nback-and-forth process that requires constant vigilance for defenders to stay on top of. It’s likely the attack group\r\nwill change course again in the coming months.\r\nPost updated to add comments in the second-to-last paragraph.\r\nSource: https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/\r\nhttps://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/" ], "report_names": [ "to-evade-detection-hackers-are-requiring-targets-to-complete-captchas" ], "threat_actors": [ { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434364, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f2ceaf3241fcf65fdcc382930415c3b50e59d66.pdf", "text": "https://archive.orkl.eu/0f2ceaf3241fcf65fdcc382930415c3b50e59d66.txt", "img": "https://archive.orkl.eu/0f2ceaf3241fcf65fdcc382930415c3b50e59d66.jpg" } }