Hackers found a way to weaponize CAPTCHA pages, and it's incredibly effective

Cybercriminals have developed ClickFix, a sophisticated phishing method that weaponizes fake CAPTCHA pages to trick users into infecting their own devices. Victims receive legitimate-looking messages from compromised hotel or booking accounts, then visit counterfeit verification pages that instruct them to copy a text string into their computer's terminal. This simple action silently downloads and installs malware like credential stealers and remote-access trojans, bypassing most security defenses by using the system's built-in tools.