Living Off the Web: How Trust Infrastructure Became a Malware Delivery Interface

This report analyzes the Fake Captcha ecosystem at scale, showing that visually uniform Cloudflare-style verification lures are a shared interface layer used to deliver malware via diverse, independent delivery pipelines (clipboard-driven VBScript/PowerShell, MSI installers, and server-driven Matrix Push C2). Using perceptual-hash clustering of screenshots from ~9,494 assets, the research finds a dominant visual cluster that fronts multiple incompatible execution models and infrastructure pools, demonstrating that visual similarity is a weak signal for attribution and that defenders must detect workflow abuse (notification opt-ins, service-worker/push activity, and context anomalies) rather than relying on payload-centric heuristics.