A new scam is turning a basic security check into a malware trap, using fake CAPTCHA prompts to trick people into opening a hidden Run window on their PC, pasting a malicious script from the clipboard and pressing Enter. The warning comes from the Identity Theft Resource Center, which says the setup can install malware without the user realizing it.
Who Gets Targeted
The scam begins on a website that looks normal, where a CAPTCHA box appears asking the user to verify that they are human. Instead of the usual image-clicking routine, the page instructs people to press Windows + R, then Ctrl + V, and then Enter. That sequence opens the door for the malicious script to run, with the user doing the work for the attacker while thinking they are passing a routine check.
Security researchers say the scam often delivers StealC malware, which works quietly in the background and looks for saved passwords, browser login sessions, autofill data and cryptocurrency wallet details. The article says many people encounter these scams during everyday browsing, often while distracted or multitasking on their devices. That is the opening the scam depends on: ordinary people moving through the internet’s daily grind while a hidden trap waits behind a familiar prompt.
How the Trap Works
The article says the scam works because people trust CAPTCHA prompts, which they see on banking sites, shopping pages and login screens, and that this trust lowers their guard. A tool that is supposed to separate humans from bots gets repurposed into a delivery system for malware. The fake prompt looks legitimate at first, then shifts into something far more dangerous once it asks users to press keyboard shortcuts.
The article says a legitimate CAPTCHA will never ask users to open a command window, use keyboard shortcuts like Windows + R, or instruct them to paste or run commands. That distinction is the line between a normal verification step and a hostile script designed to exploit trust. The scam’s power comes from mimicking the routines people already accept without question.
What People Are Told to Do
The article advises people to close the page immediately if they see that behavior, never follow keyboard instructions from a website, use strong antivirus software, consider using a data removal service, keep systems updated, change passwords if they think they were exposed, watch for unusual activity across accounts, disconnect the computer from the internet if they ran the commands, run a full antivirus scan, change passwords from another device and enable two-factor authentication on key accounts.
Those instructions are the only defense offered in the article, a long list of individual precautions aimed at surviving a threat that moves through ordinary browsing and exploits routine trust. The burden lands on the user to notice the trap, shut it down, clean up the damage and secure accounts after the fact.
The article is by Kurt Knutsson, CyberGuy Report, and was published May 24, 2026 at 8:22am EDT.