{
	"id": "9d2e3c88-e4ae-41e6-9f1e-528d65bff58d",
	"created_at": "2026-04-06T00:08:55.846346Z",
	"updated_at": "2026-04-10T03:21:11.646881Z",
	"deleted_at": null,
	"sha1_hash": "da9b43669897043932ad37600a48355ddffbbd9c",
	"title": "Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2288843,
	"plain_text": "Warning Against Phishing Emails Prompting Execution of\r\nCommands via Paste (CTRL+V)\r\nBy ATCP\r\nPublished: 2024-05-22 · Archived: 2026-04-06 00:05:16 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered that phishing files are being distributed via\r\nemails. The phishing files (HTML) attached to the emails prompt users to directly paste (CTRL+V) and run the\r\ncommands.\r\nThe threat actor sent emails about fee processing, operation instruction reviews, etc. to prompt recipients to open\r\nthe attachments. When a user opens the HTML file, a background and a message disguised as MS Word appear.\r\nThe message tells the user to click the “How to fix” button to view the Word document offline.\r\nhttps://asec.ahnlab.com/en/73952/\r\nPage 1 of 5\n\nUpon clicking “How to fix”, the file prompts the user to enter [Win+R] → [CTRL+V] → [Enter], or open the\r\nPowerShell terminal and manually input the command. Simultaneously, the malicious PowerShell command (see\r\nFigure 4) that is Base64-encoded by the JavaScript (see Figure 3) is decoded and saved into the user’s clipboard.\r\nAfter going through the process explained above, the malicious PowerShell script is executed (see Figure 5).\r\nhttps://asec.ahnlab.com/en/73952/\r\nPage 2 of 5\n\nThe PowerShell command downloads an HTA file from C2 and executes it. Additionally, it blanks out the\r\nclipboard, seemingly to obscure the PowerShell command that has been executed. HTA executes the PowerShell\r\ncommand in C2, and Autoit3.exe inside the ZIP file uses the compiled malicious Autoit script (script.a3x) as an\r\nargument to be executed. The overall operation flow from the reception of the email to the infection is shown in\r\nFigure 6.\r\nUltimately, the DarkGate malware that starts with Autoit infects the system. Users must take extra caution when\r\nhandling files from unknown sources, especially the URLs and attachments of emails.\r\nFile Detection\r\nPhishing/HTML.ClipBoard.SC199655 (2024.05.21.03)\r\nDownloader/VBS.Generic.SC199642 (2024.05.21.00)\r\nDownloader/VBS.Generic.SC199656 (2024.05.21.03)\r\nDownloader/HTA.DarkGate.SC199621 (2024.05.16.02)\r\nhttps://asec.ahnlab.com/en/73952/\r\nPage 3 of 5\n\nDownloader/PowerShell.Generic (2024.05.21.00)\r\nDownloader/PowerShell.Generic (2024.05.21.02)\r\nDownloader/PowerShell.Generic (2024.05.21.03)\r\nTrojan/AU3.Agent (2024.05.21.00)\r\nTrojan/AU3.Agent (2024.05.21.03)\r\nTrojan/AU3.Agent (2024.05.22.00)\r\nBehavior Detection\r\nExecution/MDP.Powershell.M2514\r\nMD5\r\n0b77babfa83bdb4443bb3c5f918545ae\r\n30e2442555a4224bf15bbffae5e184ee\r\n318f00b609039588ce5ace3bf1f8d05f\r\n404bd47f17d482e139e64d0106b8888d\r\n4b653886093a209c3d86cb43d507a53f\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//dogmupdate[.]com/rdyjyany\r\nhttp[:]//dogmupdate[.]com/yoomzhda\r\nhttp[:]//flexiblemaria[.]com/iinkqrwu\r\nhttp[:]//flexiblemaria[.]com/umkglnks\r\nhttp[:]//mylittlecabbage[.]net/qhsddxna\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/73952/\r\nPage 4 of 5\n\nSource: https://asec.ahnlab.com/en/73952/\r\nhttps://asec.ahnlab.com/en/73952/\r\nPage 5 of 5\n\nUpon clicking PowerShell terminal “How to fix”, and manually the file prompts input the the user to enter command. Simultaneously, [Win+R] → the [CTRL+V] → malicious PowerShell [Enter], or open command the (see\nFigure 4) that is Base64-encoded by the JavaScript (see Figure 3) is decoded and saved into the user’s clipboard.\nAfter going through the process explained above, the malicious PowerShell script is executed (see Figure 5).\n   Page 2 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://asec.ahnlab.com/en/73952/"
	],
	"report_names": [
		"73952"
	],
	"threat_actors": [],
	"ts_created_at": 1775434135,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da9b43669897043932ad37600a48355ddffbbd9c.pdf",
		"text": "https://archive.orkl.eu/da9b43669897043932ad37600a48355ddffbbd9c.txt",
		"img": "https://archive.orkl.eu/da9b43669897043932ad37600a48355ddffbbd9c.jpg"
	}
}