ClickFix Now Uses Script Editor Instead of Terminal
Thijs Xhaflaire (via Andrew Orr):
Unlike traditional ClickFix campaigns that instruct users to paste commands directly into Terminal, the discovered variant uses a browser-triggered workflow to launch Script Editor.
[…]
- The page leverages an applescript:// URL scheme
- Clicking the “Execute” button invokes this URL scheme from the browser
- The browser prompts the user to allow Script Editor to open
- Once opened, a pre-filled script is presented for execution
[…]
This payload uses base64 encoding combined with gzip compression to obscure its contents before execution.
Previously:
