Cybersecurity researchers have identified a sophisticated malware campaign named LightPerlGirl, which leverages deceptive social engineering by displaying fake CAPTCHA verification pop-ups to trick users into manually executing obfuscated PowerShell commands.

The attack, first discovered by Analysts, begins on compromised WordPress websites where users encounter a fake verification dialog mimicking legitimate services like Cloudflare. This convincing “ClickFix” popup instructs users to copy and paste a PowerShell command into the Windows Run dialog, bypassing traditional security mechanisms by weaponizing user trust and interaction rather than exploiting software vulnerabilities.

Upon execution, the obfuscated PowerShell command connects to a remote command and control (C2) server (cmbkz8kz1000108k2carjewzf.info) to fetch and run additional malicious scripts. The command initiates a multi-stage infection chain by downloading a secondary PowerShell payload containing three main functions: HelpIO, Urex, and ExWpL. The HelpIO function attempts to elevate privileges through a UAC prompt and creates a Windows Defender exclusion for the C:\Windows\Temp directory, effectively creating a safe zone for malicious operations. This evasion tactic allows the malware to operate undetected by most endpoint security tools.

Following successful privilege escalation, the Urex function establishes persistence by downloading a batch file (LixPay.bat) from the C2 server and placing it within the excluded directory. It then creates a startup shortcut to ensure the malware automatically runs upon system reboot, maintaining long-term access. The most advanced functionality lies in the ExWpL function, which utilizes .NET reflection to execute a fileless payload loading a base64-encoded .NET assembly directly into memory without writing to disk. This fileless execution approach significantly hinders traditional antivirus and endpoint detection systems.

The LightPerlGirl campaign illustrates a growing shift in cyberattack strategies, prioritizing human manipulation and legitimate system tools over technical exploits. By combining realistic social engineering lures, multi-layered evasion techniques, and fileless execution, this malware bypasses modern security defenses and highlights the importance of behavioral detection, user awareness training, and active endpoint monitoring. Its reliance on user action and exploitation of Windows features makes it particularly dangerous and difficult to detect in enterprise environments lacking proper threat visibility or layered protection.