Browser Threat Brief: Fake Trading Platform Turns Browser Clipboard Paste Into Remote Access Trojan Delivery

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Blogs
7 min read
Community Team Member

This blog was written by: Almas Raza, Tuan Vu

 

As enterprise work increasingly moves into the browser, adversaries are turning trusted browser interactions into new paths for malware delivery.  

 

Palo Alto Networks researchers identified a ClickFix campaign that shows how a routine browser action can start a malware infection. Instead of exploiting a software vulnerability, the attack tricks users into pasting what appears to be an SSL certificate path, while the clipboard contains a hidden command that downloads a multi-stage payload and installs a remote access trojan disguised as image files. This campaign reflects a broader rise in ClickFix activity, with researchers observing more than 84,000 sites serving these attacks with a variety of tactics over the past three months. This example shows how attackers are adapting ClickFix to the browser, using trusted web interactions to deliver malware without a traditional exploit.

 

This blog explains how the attack worked, why browser-based ClickFix threats are difficult to detect with traditional controls, and why visibility into live browser activity and user interaction is important for stopping these threats. 



Note: This finding was originally shared through Palo Alto Networks Unit 42 Timely Threat Intelligence, which provides additional research context.

 

Threat at a Glance

 

Area

Details

Threat Type

ClickFix clipboard injection delivering a multi-stage RAT

Delivery Method

Fake Lirunex-themed trading/API site using domain impersonation and server-side cloaking

User Action

User is tricked into pasting what appears to be an SSL certificate path

Attack Goal

Install a persistent RAT for credential theft, remote shell, screen streaming, keylogging, file management, and SSH tunneling 

Key Risk

A trusted browser paste action can lead to malware execution without a traditional software exploit 

Notable Indicator

RAT payloads disguised as image files: mev.png, USO.ico, USO.png

Detection Opportunity

Runtime browser behavior during user interaction, clipboard/paste behavior, malicious payload detection, URL detection, DNS detection 

 

How the Attack Works

 

Step 1: User Encounters the Threat

 

The attack begins when a user visits a fake Lirunex-themed trading/API site. The lookalike domain is designed to resemble the legitimate Lirunex platform and appear connected to a real fintech or API workflow.

The site also uses server-side cloaking. Non-targeted visitors see a harmless-looking page, while targeted users are shown the ClickFix lure page that initiates the attack.

 

Step 2: The Threat Gains Trust

 

The lure page asks the user to select an SSL certificate path through a file dialog box, making the request appear like part of a normal setup or authentication process.

 

Behind the scenes, the site has already placed a malicious command in the clipboard. To hide it, the attacker adds blank space followed by the decoy certificate name lirunex_Api_EU3.pem.  As a result, the visible portion looks like a certificate path, while the malicious command stays hidden out of view.

 

Step 3: The Browser Becomes the Attack Surface

 

When the user pastes what they believe is the certificate path, the hidden clipboard command is pasted instead. The command runs silently using conhost.exe --headless, turning a routine browser interaction into the first stage of a remote access compromise. 

 

Step 4: Malicious Behavior Is Triggered

 

The silently executed command reaches out to attacker-controlled infrastructure and begins downloading malware in stages. To avoid detection, the malware files are disguised with image file names and extensions, making them appear to be ordinary photos or icons rather than malicious programs.

 

Step 5: Impact on the User or Organization

 

Once installed, the attacker gains broad access to the victim’s machine. This includes the ability to steal saved browser credentials, watch the screen in real time, log keystrokes, browse and manage files remotely, and maintain persistent access even after reboot. The malware is also designed to evade common security tools, making it harder to detect and remove after installation.

For organizations, the risk is broader than one deceptive web page. Enterprise work now happens across browsers, SaaS applications, web portals, and cloud services. A ClickFix lure can abuse that trusted browser workflow to move from a web interaction to credential theft, remote access, screen monitoring, and persistent attacker control.

 

What the Infrastructure and Payload Chain Revealed

 

This attack revealed several layers of deception behind the ClickFix lure.

 

First, the lure domain was designed to look like a legitimate business or API workflow. The attacker used a lookalike Lirunex-themed domain, lirunex[.]tech, along with an API-style subdomain to make the page appear connected to a fintech or trading platform.

 

Second, the clipboard content was crafted to look harmless. The malicious command was hidden with blank space, followed by the decoy certificate name lirunex_Api_EU3.pem, so the visible portion looked like a normal SSL certificate path.

 

Third, the payload chain continued the disguise. Python executables were named after common image formats, including mev.png, USO.ico, and USO.png, making the files appear less suspicious even though they were part of a remote access trojan delivery chain.

 

Palo Alto Networks researchers also observed the same clipboard injection technique on additional financially themed sites, including aromi-fr[.]shop, aromi-fr[.]com, and api-eu3.convmasters[.]com.

 

Why This Is Hard to Detect

 

ClickFix attacks can be difficult to detect because the malicious behavior depends on the user taking an action inside the browser. At first glance, the activity may look routine: a user visits a business-looking API page, follows setup instructions, and pastes what appears to be an SSL certificate path.

 

The challenge is that the visible browser interaction does not show the full risk. In this campaign, the paste content looked like a certificate file name, while the clipboard actually contained a hidden command designed to run silently in the background. The site also used server-side cloaking, showing harmless-looking content to some visitors while showing the ClickFix lure to targeted users.

 

This makes the attack harder for static scanners and network-layer controls alone to detect. The page may not reveal the malicious behavior until after it loads, the user interacts with it, and the clipboard/paste flow is triggered. By then, what looks like a normal user action can become command execution and malware delivery.

 

This is why live browser visibility matters. Correlating page behavior, clipboard activity, user interaction, URL intelligence, and payload delivery can help identify ClickFix attacks earlier, before a trusted browser workflow becomes a compromise.

 

How Palo Alto Networks Helps Protect Customers

 

Palo Alto Networks helps protect customers from this ClickFix campaign through Prisma Browser Advanced Web Protection. Because the attack starts in the browser and depends on live user interaction, protection needs visibility into the page behavior, clipboard activity, and browser flow that trigger the threat. 

 

Prisma Browser uses real-time live page scanning and browser-layer visibility to help detect deceptive page flows, clipboard/paste abuse, and runtime behavior associated with ClickFix-style attacks. This helps stop threats that may be difficult to identify with network-layer controls alone, especially when the malicious behavior only appears after the page loads and the user interacts with it.

 

This protection is also strengthened by Palo Alto Networks cloud-delivered security services and threat intelligence, which identified the lure domain, related clipboard-injection sites, payload delivery infrastructure, command-and-control infrastructure, and disguised RAT files used in this campaign.

 

Conclusion

 

This campaign shows how ClickFix attacks have evolved beyond simple fake CAPTCHA pages. By combining domain impersonation, server-side cloaking, clipboard padding, and payload disguise, attackers can make a malicious workflow look like a routine browser interaction.

 

The key risk is that the attack does not rely on a traditional software exploit. It relies on user trust, live page behavior, and a paste action that appears legitimate. Prisma Browser Advanced Web Protection uses real-time live page scanning to help detect malicious lures, suspicious browser-driven behavior, and payload infrastructure before a routine web interaction becomes a full compromise.

 

Appendix: IOCs

 

Domains and URLs

 

Indicator

Type

lirunex[.]tech

Lure domain (typosquat of lirunex.com)

aromi-fr[.]shop

Related site with same clipboard injection

aromi-fr[.]com

Related site with same clipboard injection

convmasters[.]com

Related site with same clipboard injection (api-eu3 subdomain)

hxxps[:]//colafunfacts[.]net/log

First-stage payload URL

hxxps[:]//colafunfacts[.]net/firefox.zip

Second-stage payload URL

hxxp[:]//104.207.131[.]216[:]16443

Command-and-control server

hxxp[:]//188.166.20[.]222[:]8000

Additional infrastructure

hxxp[:]//95.179.240[.]32[:]9999/build

Additional infrastructure

 

Additional Information

 

To see Advanced Web Protection in action, schedule a Prisma Browser demo with your Palo Alto Networks team.

 

 

 

 

 

 

 

  • 16 Views
  • 0 comments
  • 0 Likes
Labels
Contributors