Healthcare Sector Targeted by Fake CAPTCHA Attack on HEP2go to Deliver Infostealer Malware

Arctic Wolf has recently observed a campaign targeting the healthcare sector, where victims visiting the widely used physical therapy video site HEP2go are redirected to a fake CAPTCHA webpage when they attempt to visit multiple parts of the website. This CAPTCHA provides instructions that trigger PowerShell code execution and the eventual loading of infostealer malware.

Fake CAPTCHA screen

HEP2go is an online platform that allows physical therapists, trainers, and healthcare professionals to create and share Home Exercise Programs (HEPs) with their clients. In late February, several users on public forums began reporting that the HEP2go website was compromised. At this time, Arctic Wolf is not aware of when the HEP2go website will be fixed and strongly recommends avoiding it until the issue is resolved.

Arctic Wolf currently has detections in place that identify malicious PowerShell substrings observed in this campaign, and we will continue to notify customers when we identify new instances of this activity through current agent and Sysmon detections.

Recommendations

Avoid HEP2go Indefinitely

At this time, Arctic Wolf strongly recommends avoiding HEP2go, as the website is currently compromised and not safe to visit.

Install Arctic Wolf Agent & Sysmon

Arctic Wolf has implemented MDR detections for post-compromise threat activity associated with this campaign on endpoint devices.

Arctic Wolf Agent and Sysmon give Arctic Wolf visibility into network and endpoint events needed to identify Tools, Techniques, and Tactics involved in this campaign.

For instructions on how to install Arctic Wolf Agent, see the below install guides:
If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
- Endpoint Detection and Response Integrations

Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.

Implement Comprehensive Security Awareness Training

Arctic Wolf strongly recommends implementing comprehensive security awareness training campaigns. These initiatives are designed to equip users with the skills needed to quickly identify and report suspicious activities.

Resources

Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Customer Portal Policy	Accessibility Statement	Sustainability Statement	Information Security	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Expertise by Industry

Resource Centre

Trending Resources

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

The 2024 Gartner® Market Guide for MDR Services provides a comprehensive overview of the evolving MDR landscape.

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Security Bulletins

Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities

CVE-2025-31324: Maximum-Severity File Upload Vulnerability in SAP NetWeaver Exploited in the Wild

CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center

Company

Careers

Press

Healthcare Sector Targeted by Fake CAPTCHA Attack on HEP2go to Deliver Infostealer Malware

Recommendations

Avoid HEP2go Indefinitely

Install Arctic Wolf Agent & Sysmon

Implement Comprehensive Security Awareness Training

Popular Topics

Share this post:

What to read next

Earl Grey House
77 Grey St. 3rd Floor
Newcastle upon Tyne
NE1 6EF
UK

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.

Privacy Notice

Terms of Use

Cookie Policy

Customer Portal Policy

Accessibility Statement

Sustainability Statement

Information Security

Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Expertise by Industry

Resource Centre

Trending Resources

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

The 2024 Gartner® Market Guide for MDR Services provides a comprehensive overview of the evolving MDR landscape.

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Security Bulletins

Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities

CVE-2025-31324: Maximum-Severity File Upload Vulnerability in SAP NetWeaver Exploited in the Wild

CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center

Company

Careers

Press

Healthcare Sector Targeted by Fake CAPTCHA Attack on HEP2go to Deliver Infostealer Malware

Recommendations

Avoid HEP2go Indefinitely

Install Arctic Wolf Agent & Sysmon

Implement Comprehensive Security Awareness Training

Popular Topics

Share this post:

What to read next

8 min read

Uptick in Ransomware Threat Activity Targeting Retailers in the UK

6 min read

Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities

4 min read

CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center

8 min read

Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035

Earl Grey House 77 Grey St. 3rd Floor Newcastle upon TyneNE1 6EF UK

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.

Earl Grey House
77 Grey St. 3rd Floor
Newcastle upon Tyne
NE1 6EF
UK