Cybercriminals use new social engineering tactic for running PowerShell and installing malware

Cybercriminals use new social engineering tactic for running PowerShell and installing malware

A threat actor known as TA571 and the ClearFake activity cluster have been observed employing an innovative social engineering technique designed to manipulate users into executing malicious PowerShell scripts and infecting victim devices with malware.

The technique, detailed by Proofpoint researchers, involves directing users to copy and paste malicious PowerShell scripts that lead to the deployment of various malicious tools, including DarkGate, Matanbuchus, NetSupport, and several information stealers.

Regardless of whether the initial campaign starts via malicious spam (malspam) or web browser injects, the technique follows a similar pattern. Users are presented with a pop-up message displaying an error while trying to open a document or webpage. Instructions are then provided to copy and paste a script into either the PowerShell terminal or the Windows Run dialog box, triggering the execution of the malicious script.

Proofpoint first observed TA571 employing this technique in March 2024, and the ClearFake cluster began using it in early April. ClearFake campaigns involve compromising legitimate websites with malicious HTML and JavaScript, presenting users with fake browser update prompts.

When users visit a compromised site, an injection loads a malicious script hosted on the blockchain via Binance’s Smart Chain contracts—a method known as “EtherHiding.” This script loads a second script from a domain using Keitaro TDS for filtering. If the victim continues to browse the site, they see a fake warning overlay instructing them to install a “root certificate.” Following the instructions leads to executing a PowerShell script.

Back to the list

Latest Posts

UNC6148 threat actor actively targets outdated and patched SonicWall devices

UNC6148 threat actor actively targets outdated and patched SonicWall devices

The group is using stolen credentials and OTP seeds to regain access to devices even after security updates have been applied.
17 July 2025
Google patches Chrome zero-day allowing sandbox escape

Google patches Chrome zero-day allowing sandbox escape

The flaw stems from insufficient validation of untrusted input in ANGLE and GPU.
16 July 2025
Ukrainian police dismantle major server network used for malware distribution

Ukrainian police dismantle major server network used for malware distribution

Authorities identified a 33-year-old French national as the organizer of the illegal operation.
16 July 2025