We’ve been seeing these types attacks for a couple of months, mostly not from telegram links. The way they work is pretty ingenious, in that is leverages the fact that everyone has gotten used to the various “do this thing to prove you’re human”. In this case the attack works like:

• User is directed to a link controlled by the attacker. The link will claim to be something the user wants.
  • In my experience, this has been movie or software downloads.
• This site presents a page which basically says “prove you are human to get the thing”.
• In the background, the attack site uses javascript to pre-load the user’s clipboard with a malicious PowerShell command.
• The site’s instructions to “prove you are human” looks like:
  1. Press the key combination Win+R
  2. Press the key combination Ctrl+V
  3. Press Enter
• The user being trained to “prove they are human” follows these instructions, resulting in a PowerShell command being run which downloads the malicious payload and executes it.

The payloads we’ve seen have been info stealers (RedLine, Lumma Stealer, etc.). They also drop some type of Remote Access Tool (e.g. AnyDesk) which the attacker could come back to later, move laterally and try to deploy ransomware.

The website (Telegram in this case, but can be any website) adds a specifically crafted text to the clipboard and then tricks the user into pasting that text into the Windows Run dialog, which can be used to execute any command(s), basically like a command prompt.

The text the attacker places in the clipboard is actually a command to download and execute an executable file from the internet, giving the attacker remote access to the system or whatever the payload happens to be.

It’s a pretty clever trick. Perhaps MS should consider adding a warning before allowing pasting into the Run dialog or cmd for the first time. They already have this in the Edge browser console.