ProBackend
cloud security incidents
2 hours ago6 min read

Pastejacking: How Social Engineering Became the Default Malware Delivery Method

Once a rare exploit, pastejacking via ClickFix now drives nearly half of all initial-access attacks, leveraging API-driven payloads, macOS bypasses, and fileless execution to turn user trust into a weaponized vector.

The clipboard doesn’t lie—until it does

You’ve been here before. You’re on a site you trust. Maybe it’s your bank portal, maybe it’s a news feed, maybe it’s a streaming page you swore you’d never use again. Then—boom—a pop-up. "Error: Document failed to load. Click to fix." Or worse: "Verify you’re not a robot." You click. And then, without you noticing, your clipboard fills with a string of gibberish—something like powershell -EncodedCommand SQBFAFgAIABbAHMAdAByAGkAbgBnAF0AIAAoAEcAQQBBAFQAIABbAHMAaABlAGwAbABdACkA.

The page doesn’t say that. It says: "Open Run (Win+R), paste, hit Enter. Your document will load in seconds."

You do it.

And that’s it. You just ran malware.

No exploit. No download. No suspicious file. Just a command you trusted, pasted by hand, executed with your own permissions. That’s Pastejacking. That’s ClickFix. And it’s no longer the exception.

It’s the rule.


How a simple trick became the most common attack vector

Microsoft’s Defender Experts team says nearly half of all initial-access attacks in 2025 were ClickFix-based. ESET saw a 517% surge in the first half of last year. That’s not a spike. That’s a landslide.

This isn’t some clever hack from a white-hat researcher. It’s a weaponized pattern, refined over 18 months by criminal networks, ransomware affiliates, and even state-backed actors. The mechanics are stupidly simple:

  1. Lure: A fake error, CAPTCHA, or system alert—designed to trigger your instinct to fix something broken.
  2. Injection: JavaScript silently copies a PowerShell or CMD command into your clipboard. The text looks harmless—maybe it says ipconfig /flushdns—but it’s a decoy.
  3. Instruction: The page tells you to press Win+R, paste, hit Enter. You’re not being tricked into clicking a link—you’re being asked to help.
  4. Execution: The command runs, downloads a second-stage script, and calls home. The real payload—Lumma Stealer, NetSupport RAT, DarkGate—doesn’t even touch disk. It lives in memory, using LOLBins like msbuild.exe or regasm.exe to evade detection.

The brilliance? It doesn’t bypass your firewall. It bypasses you.


The evolution: from Win+R to Terminal, from Windows to macOS

Early campaigns were sloppy. They told you to use Win+R. That left a trail in the RunMRU registry key. Now? They tell you to press Win+X and open Windows Terminal. Why? Because Terminal doesn’t log commands. It looks normal. It feels like something you’d do.

And it’s not just Windows anymore.

In early 2026, researchers found macOS campaigns using applescript:// deep links to silently launch Script Editor. No Terminal window. No warning. Just a fake "System Update Required" prompt that tells you to paste a command into Script Editor. The payload? AMOS Stealer. Same playbook. Different OS.

The API-driven infrastructure behind this is what makes it terrifying. Security researcher Bert-Jan Pals analyzed 3,000 live ClickFix payloads and found each one was unique—wrapped in Base64, AES, or Deflate, tailored to your OS, your language, even your timezone. The same server, same URL, same lure—yet every victim got a different command. No two payloads matched. That’s not obfuscation. That’s automation.

And it’s being sold.

On dark web forums, ClickFix builders are now listed like SaaS tools: choose your lure, pick your payload, rotate domains, and deploy. It’s why you’re seeing the same tactic from ransomware gangs, credential thieves, and even North Korean espionage groups like Kimsuky.


The payloads: who’s behind the clipboard?

The malware delivered via ClickFix isn’t exotic. It’s the usual suspects—because they work.

Lumma Stealer: The most common. Harvests passwords, cookies, banking tokens, and even two-factor codes from browsers. It’s cheap, fast, and reliable. • DarkGate: A loader that drops everything else. Ransomware, RATs, cryptominers. It’s the Swiss Army knife of initial access. • AsyncRAT, NetSupport, SectopRAT: Remote access trojans that give attackers full control. They don’t just steal data—they sit in your network for months. • Vidar, RedLine, SnakeStealer: All stealers. All designed to be deployed in bulk. • Latrodectus, MintsLoader: Loaders that deliver the above. They’re the delivery trucks.

And then there’s the state actors:

APT28 (Russia): Used ClickFix to target Ukrainian government networks. • MuddyWater (Iran): Deployed it in espionage campaigns against energy infrastructure. • Kimsuky (North Korea): Ran a fake "ClickFake Interview" campaign targeting crypto workers—using LinkedIn messages to lure victims to fake job portals.

This isn’t a criminal tool anymore. It’s infrastructure.


The bypass: how it slips past every defense

You’re probably thinking: "But my EDR should catch this."

It doesn’t.

Because it’s not malware. It’s you.

EDR tools watch for suspicious files. ClickFix doesn’t drop files—at least, not right away. The initial payload is a one-liner that downloads the real malware to your Downloads folder, then moves it into the temp directory. The clipboard command? It’s just a script that says:

Move-Item "$HOME\Downloads\tmp.zip" "$env:TMP\7947.zip"; tar -xf "$env:TMP\7947.zip" -C "$env:TMP"; conhost --headless powershell -ExecutionPolicy Bypass -File "$env:TMP\tmp.ps1"

That’s it. No obfuscation. No encoding. Just a file move and a run command. It looks like a user doing their job. And it bypasses AMSI—the Windows feature designed to scan PowerShell scripts—because the script isn’t in the clipboard. It’s in the file.

The real payload is never scanned. It’s just executed.

And the launchers? PowerShell (39%), cmd.exe (39%), msiexec.exe (34%). All legitimate. All trusted. All flagged as low-risk.

That’s why behavioral detection is the only thing that works. Look for explorer.exe or WindowsTerminal.exe spawning PowerShell with no user interaction. Look for conhost.exe launching a hidden PowerShell. Look for a ZIP file appearing in Downloads right after a CAPTCHA interaction.


What you can actually do

Here’s the truth: you can’t stop ClickFix. Not entirely. But you can make it expensive.

For IT teams:

Disable Win+R for standard users via GPO. That kills 80% of the lures. • Enforce AppLocker or WDAC to block non-approved scripts from running, even if they’re PowerShell. • Enable script block logging and ship it to your SIEM. Look for IEX, Invoke-Expression, EncodedCommand. • Block LOLBins like mshta.exe, bitsadmin, regsvr32 on non-admin endpoints.

For everyone else:

One rule. One sentence. One habit.

No legitimate company, no IT department, and no website will ever ask you to paste a command into Run, Terminal, or Script Editor. Ever.

Say it out loud. Print it. Put it on your monitor.

If you’re ever asked to do it, stop. Walk away. Call IT. Don’t paste. Don’t click. Don’t even look.

Because the attackers aren’t trying to hack your system.

They’re trying to trick you into doing it for them.

And you’re the only one who can stop it.

The human firewall

I used to think the best defense against social engineering was training. Now I know it’s habit.

We’ve trained people to recognize phishing emails. We’ve taught them to hover over links. We’ve made them suspicious of attachments. But ClickFix doesn’t come in an email. It doesn’t need a malicious file. It doesn’t even need a bad URL.

It comes in the form of a problem you want to fix.

And that’s why it works.

It’s not about being smarter. It’s about being slower.

When you see a fake error message, don’t rush to fix it. Pause. Breathe. Ask yourself: "Would my IT team ever ask me to paste a command?"

The answer is always no.

And if you’re not sure? Don’t paste.

Just call someone.

Because the next time you’re asked to fix something with a clipboard command…

You’ll know it’s not a fix.

It’s a trap.

More blogs