{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cmd.exe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","PowerShell","cmd.exe","mshta.exe"],"_cs_severities":["high"],"_cs_tags":["phishing","social-engineering","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves attackers compromising websites and injecting malicious code to deliver fake CAPTCHA or page error messages to unsuspecting users. The goal is to trick victims into copying malicious commands from the compromised website and pasting them into the Windows Run dialog box. This technique leverages social engineering and user interaction to bypass traditional security measures. The malicious commands often involve PowerShell, cmd.exe, or mshta.exe, enabling the execution of arbitrary code on the victim's machine. The use of common system binaries makes detection challenging, as these are typically trusted processes. This activity has been observed since 2025/08/19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eWebsite Compromise:\u003c/strong\u003e Attackers compromise a legitimate website using various techniques, such as exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Injection:\u003c/strong\u003e The compromised website is injected with malicious JavaScript code that displays a fake CAPTCHA or error message to visitors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSocial Engineering:\u003c/strong\u003e The fake CAPTCHA or error message instructs the user to copy a provided command to resolve the issue. The message often creates a sense of urgency or importance to compel the user to act.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The user copies the malicious command, which typically includes PowerShell, cmd.exe, or mshta.exe with obfuscated or encoded arguments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Download:\u003c/strong\u003e The executed command downloads and executes a secondary payload from a remote server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The payload establishes persistence mechanisms, such as creating scheduled tasks or modifying registry keys, to ensure continued access to the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Depending on the attacker's objectives, they may attempt to move laterally within the network to compromise additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e The ultimate objective may involve data theft, ransomware deployment, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can result in the compromise of user systems, leading to potential data theft, malware installation, and further network intrusion. The widespread use of this technique highlights the need for increased user awareness and robust security measures to detect and prevent malicious copy-paste activity. While specific numbers are not available, similar phishing campaigns have affected numerous users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fake CAPTCHA PowerShell Command\u003c/code\u003e to your SIEM to detect the execution of PowerShell commands containing CAPTCHA-related keywords.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fake CAPTCHA CMD Command\u003c/code\u003e to your SIEM to detect the execution of CMD commands containing CAPTCHA-related keywords.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate users about the risks of copying and pasting commands from untrusted sources (reference: Attack Chain step 3).\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for suspicious command-line arguments involving PowerShell, cmd.exe, and mshta.exe (reference: Attack Chain step 4).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-01T00:00:00Z","date_published":"2024-01-01T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-fake-captcha-phishing/","summary":"Attackers compromise websites, inject malicious code posing as fake CAPTCHAs, and trick users into copying and pasting malicious commands into the Windows Run dialog box, leading to the execution of PowerShell, Cmd, or MSHTA.","title":"Potential Fake CAPTCHA Phishing Attack via Malicious Copy/Paste","url":"https://feed.craftedsignal.io/briefs/2024-01-fake-captcha-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed - Cmd.exe","version":"https://jsonfeed.org/version/1.1"}