Avoid This Email PowerShell Malware Scam

ByCraig Haley

Let’s talk about an email malware scam. An email malware scam that exploits users who are not overly technically proficient in order to trick them into running malicious PowerShell code on their Windows computers, which will typically lead to a malware infection.

Step 1. The email.

Like many malware scams out there, this begins with an email – in this case, the email below which appears to be from Evri asks us to organise the delivery of a parcel.

Delivery courier email scams are quite common, but usually they’re in the guise of phishing scams that are trying to trick us into visiting a spoof website and giving out our payment data. But that’s not the case here as we’re about to find out.

When we click the link in the email, we’re taken to Step 2.

Step 2. The fake CAPTCHA

Many of us are used to completing these little CAPTCHA tests to prove we’re really human. So we might not think much of it when presented with the little test in the below webpage.

But this is no ordinary CAPTCHA. In fact it’s completely fake. Using some behind-the-scenes HTML/Javascript magic, the scammers have created a page that automatically copies some PowerShell code to your computer as soon as you interact with the CAPTCHA test.

Now, to be clear, the webpage has just made your computer copy the code (as in, the first half of the “copy and paste” functions that most of us are no doubt familiar with). As this point, the device hasn’t been infected, or compromised. The code is just sitting in the “clipboard” program of your computer, where copied data goes before it is “pasted” somewhere else. If the code gets pasted and executed in the wrong place, however, then things can take a turn for the worse… and that is what the scammers are about to get to next…

…because when we “complete” the CAPTCHA (which, as we stated, is fake) we’re taken to the next – final – step. The end game….


Sponsored Content. Continued below…




Step 3. The End Game

The next webpage that is loaded up after the CAPTCHA is below, and asks us to complete some simple steps to continue to organise our Evri delivery. But these simple steps, if actioned out, can result in a malware infection.

The first line asks us to hit the Windows key and the letter R. This brings up the Run dialog box on a Windows computer. The Run dialog box, which we only recommend using if you know what you’re doing, lets you run scripts or open advanced programs on a device. It can be a dangerous tool if used by someone who doesn’t know what they’re doing.

The second line asks the person to hit the Ctrl key and letter V. This is the paste function. This will paste whatever data was copied in Step 2, which was the malicious PowerShell code.

The third line says to press Enter, which will then get the person’s computer to execute whatever is in the Run dialog box, which will be the pasted PowerShell code.

So, essentially, the person has, unknown to them, copied PowerShell code, and is then tricked into opening their Run dialog box, pasting the code into it and executing the code on their computer. This is extremely dangerous.

In the email example above, the PowerShell code would download a file (what we call a Payload file) from an IP address that was located in Russia and execute it on the person’s computer. This will, no doubt, lead to a malware infection.

Don’t fall victim to these scams.

Firstly, you should be sceptical when clicking on emails like this. Look for the same warning signs you’d look for in any suspicious email. Lack of personal details. Poor spelling. Odd looking From: emails. Common social engineering tricks (“organise a courier delivery” certainly being a common trick). Links leading to fake and unofficial web domains.

Secondly, NEVER EVER follow instructions from untrusted sources that involve you opening your Run dialog box (opened using Win+R or typing ‘Run’ in the Start Menu). Code entered into this can damage your computer.

Continued below...

Thanks for reading, we hope this article helped, but before you leave us for greener pastures, please help us out.

We're hoping to be totally ad-free by 2025 - after all, no one likes online adverts, and all they do is get in the way and slow everything down. But of course we still have fees and costs to pay, so please, please consider becoming a Facebook supporter! It costs only 0.99p (~$1.30) a month (you can stop at any time) and ensures we can still keep posting Cybersecurity themed content to help keep our communities safe and scam-free. You can subscribe here

Remember, we're active on social media - so follow us on Facebook, Bluesky, Instagram and X