https://karmine05.github.io/dirtyfrag-blog/tags/clickfix/ Recent content in Clickfix on karmine's notes Hugo -- gohugo.io en dhruv@fleetdm.com (Dhruv Majumdar) dhruv@fleetdm.com (Dhruv Majumdar) © 2026 karmine's notes Tue, 26 May 2026 13:00:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/clickfix-copypaste-fleet-detections/ Tue, 26 May 2026 13:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/clickfix-copypaste-fleet-detections/ ClickFix is the most active cross-platform initial-access technique of 2026 — fake CAPTCHAs and support prompts that silently copy a malicious command to the clipboard, instruct the user to paste it into the Windows Run dialog or macOS Terminal, and deliver infostealers (Lumma, AMOS), remote-access tools (NetSupport RAT), and AppleScript keychain stealers. No code-execution vulnerability is exploited — the victim is the delivery mechanism. This brief walks the five-stage attack flow, lists atomic indicators, and ships a Fleet/osquery detection pack with every query validated against the current Fleet table schema.