FWIW, 100% of #ClickFix attacks I've seen have added some kind of inline comment at the end of the command string like I am not a robot to sell the ruse. Definitely worth a threat hunt on command line history.
#ThreatHunting #ThreatIntel #ThreatIntelligence
Taggart :donor: /
npub1yg…tccz0
2025-04-28 16:37:16
Author Public Key
npub1yg8lnapwc8yyd0m32jcfdp7k28hwmsvtsqc59rsj6d6d0m3mynqs7tccz0Published at
2025-04-28 16:37:16Event JSON
{
"id": "2e2b49dd0abc1787b2900930d9ed59eae6e46b1b7c8aa7d864ef87da1a3bc944",
"pubkey": "220ff9f42ec1c846bf7154b09687d651eeedc18b8031428e12d374d7ee3b24c1",
"created_at": 1745858236,
"kind": 1,
"tags": [
[
"t",
"threatintel"
],
[
"t",
"clickfix"
],
[
"t",
"threatintelligence"
],
[
"proxy",
"https://infosec.exchange/@mttaggart/114416565384838202",
"web"
],
[
"t",
"threathunting"
],
[
"proxy",
"https://infosec.exchange/users/mttaggart/statuses/114416565384838202",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/mttaggart/statuses/114416565384838202",
"pink.momostr"
],
[
"-"
]
],
"content": "FWIW, 100% of #ClickFix attacks I've seen have added some kind of inline comment at the end of the command string like I am not a robot to sell the ruse. Definitely worth a threat hunt on command line history.\n\n#ThreatHunting #ThreatIntel #ThreatIntelligence",
"sig": "b4637dff1e951090cb4c2174aa37c79abf7c7ab70ce11666eaed3eb8acbcebc6135eb4fc3195743c44433f54eb0d9ed433be170a4bb7c1d1025735b03b21351d"
}