CAPTCHAs are widely used as a security measure to distinguish humans from bots. However, threat actors have been exploiting this tool into a technique known as ClickFix. By presenting fake "Verify You Are a Human" CAPTCHA pages, attackers aim to trick users into executing malicious PowerShell commands that establish a connection to an attacker's network, delivering malware and compromising the system.

This talk will examine how CAPTCHA has grown from a protective measure to being exploited by Threat Actors tool into social engineering technique by exploring the real-world cases of ClickFix techniques, break down the technical structure behind these attacks, discuss post-compromise tactics, and outline a company's defensive strategies to mitigate this threat.

This talk is from ENUSEC's Le Tour Du Hack 2025, A student run cyber-security conference (and CTF) based at Edinburgh Napier University. A massive thank you to this years sponsors: Quorum Cyber, Verkada, Bugcrowd, Zerodays CTF, and of course ENU's School of Computing Engineering and build environment