Hackers are now using a fake Cloudflare verification screen to trick users into installing malware. The attack looks convincing and uses clever social engineering tactics to fool people who are just trying to access a website.
Since Cloudflare is used by millions of websites, most people are familiar with its verification page. That makes it easier for attackers to trick users into believing the fake page is real.
This malware campaign was discovered and analyzed by Shaquib Izhar, who also shared details on LinkedIn.
How the Attack Works
The fake page looks just like a real Cloudflare “verification” screen and asks users to prove that they are human before entering a website. But instead of checking if you are human, this fake page runs a hidden attack. When someone clicks the “Verify” button, it silently copies malicious PowerShell code to your clipboard.
Then it asks the user to complete another fake verification step. At the same time, it captures the user’s IP address and starts logging keystrokes. The other step involves opening the Windows Run prompt. The page detects if the user opens the Windows Run prompt. It then asks users to page the copied code into the Run prompt and hits enter, it triggers another PowerShell command. This command fetches a Base64-encoded payload from pastesio[.]com.
That payload downloads and runs a .BAT file from axiomsniper[.]info. This file includes a check to detect if it’s being run inside a virtual machine. If it is, the malware exits to avoid detection. Otherwise, it proceeds to install more harmful software on the system.
This .BAT file currently has zero detection on VirusTotal, which makes the threat even more dangerous.
While researching for this, I also found a few months-old Reddit post discussing the same issue. It seems Sucuri published a detailed post on this. It explains how attackers are targeting WordPress websites to show this fake verification page to their visitors.fa
Why This Is a Big Deal
The fake page looks trustworthy because it mimics a widely used security service (Cloudflare) and uses advanced evasion techniques to avoid getting caught by antivirus tools. It only activates when users interact. This makes it hard to detect security software. Security researchers say this is one of the more sophisticated campaigns seen in recent times because of how cleverly it fools people.
This attack uses social engineering and a fake but trusted interface to fool users. Most people would never suspect that a Cloudflare verification screen could be fake. That is what makes this attack so risky. The malware is also smart enough to a
What You Should Do
If you see a CAPTCHA-style screen asking you to verify you are human, do not rush to click. Always check the domain name and make sure the site is legitimate. If something feels off, close the page.
Avoid pasting or running unknown commands from your clipboard. Use security software that detects suspicious behavior, not just known viruses. And never download files or enter sensitive information on suspicious-looking websites.
