Skip to content

T1204.004 Malicious Copy and Paste

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is “ClickFix,” in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

Malicious websites, such as those used in Drive-by Compromise, may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim’s machine.5432

Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution, consistent with the “ClickFix” strategy.61

Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files.

Item Value
ID T1204.004
Sub-techniques T1204.001, T1204.002, T1204.003, T1204.004, T1204.005
Tactics TA0002
Platforms Linux, Windows, macOS
Version 1.1
Created 18 March 2025
Last Modified 05 October 2025

Procedure Examples

ID Name Description
G1052 Contagious Interview Contagious Interview has leveraged ClickFix type tactics enticing victims to copy and paste malicious code.9410
S1229 Havoc The Havoc infection chain has been initiated via ClickFix lures in phishing emails.8

Mitigations

ID Mitigation Description
M1038 Execution Prevention Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).7
M1031 Network Intrusion Prevention If a link is being requested by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
M1021 Restrict Web-Based Content If a link is being requested by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc.

References

  1. AhnLab SEcurity intelligence Center. (2024, May 23). Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V). Retrieved April 23, 2025. 

  2. AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April 23, 2025. 

  3. Alex Capraro. (2024, December 17). Using CAPTCHA for Compromise: Hackers Flip the Script. Retrieved March 18, 2025. 

  4. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025. 

  5. CloudSEK TRIAD. (2024, September 19). Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages. Retrieved March 18, 2025. 

  6. Tommy Madjar, Selena Larson and The Proofpoint Threat Research Team. (2024, November 18). Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape. Retrieved March 18, 2025. 

  7. PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023. 

  8. Wan, Y. (2025, March 3). Havoc: SharePoint with Microsoft Graph API turns into FUD C2. Retrieved August 4, 2025. 

  9. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025. 

  10. Efstratios Lontzetidis. (2025, January 16). Lazarus APT: Techniques for Hunting Contagious Interview. Retrieved October 20, 2025.