Malicious Code Passed to PowerShell via the Clipboard, (Sat, Jun 25th)

PowerShell Core 6.0 icon
File:PowerShell Core 6.0 icon.png

Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. The script has a VT score of 16/54 ( )[1]. The script uses the Windows command-line tool “clip.exe” which is often unknown to people:

This tool helps to save the STDIN content in the clipboard. I checked the LOLBAS[2] project page and did not find “clip.exe”.

How does it work?

cmd / c echo "[Redacted_malicious_payload]" | clip.exe && powershell.exe ""

The malicious code is saved into the clipboard and PowerShell fetches it by executing . It contains:


The code is executed and the clipboard is cleared:


It's a nice technique to implement fileless malware!

Note: The malware family is Boxter[3].


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post