https://karmine05.github.io/dirtyfrag-blog/tags/windows/ Recent content in Windows on karmine's notes Hugo -- gohugo.io en dhruv@fleetdm.com (Dhruv Majumdar) dhruv@fleetdm.com (Dhruv Majumdar) © 2026 karmine's notes Tue, 26 May 2026 13:00:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/clickfix-copypaste-fleet-detections/ Tue, 26 May 2026 13:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/clickfix-copypaste-fleet-detections/ ClickFix is the most active cross-platform initial-access technique of 2026 — fake CAPTCHAs and support prompts that silently copy a malicious command to the clipboard, instruct the user to paste it into the Windows Run dialog or macOS Terminal, and deliver infostealers (Lumma, AMOS), remote-access tools (NetSupport RAT), and AppleScript keychain stealers. No code-execution vulnerability is exploited — the victim is the delivery mechanism. This brief walks the five-stage attack flow, lists atomic indicators, and ships a Fleet/osquery detection pack with every query validated against the current Fleet table schema. https://karmine05.github.io/dirtyfrag-blog/posts/shadow-earth-053-fleet-detections/ Tue, 26 May 2026 11:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/shadow-earth-053-fleet-detections/ Trend Micro disclosed SHADOW-EARTH-053 on 30 April 2026 — a China-aligned cyberespionage campaign exploiting ProxyLogon against unpatched Microsoft Exchange and IIS to deploy GODZILLA web shells and ShadowPad across South, East, and Southeast Asia plus one NATO target. This brief documents the campaign through Lockheed’s seven kill-chain stages with a Diamond Model rendered for each stage, consolidates the atomic indicators, and ships a vetted Fleet/osquery detection pack. Every query in the pack has been audited against fleetdm.com/tables before publication — schema bugs in the publicly circulating versions are called out and corrected inline.