A ClickFix campaign is abusing compromised WordPress sites and a fake Cloudflare verification prompt to trick macOS users into pasting a malicious Terminal command that deploys a three-stage infostealer. The operation uses Polygon-based EtherHiding for resilient C2 delivery and exfiltrates stolen Keychain, browser, and SSH data to genomicsforge[.]com from macOS victims. #ClickFix #EtherHiding #WordPress #Polygon #genomicsforge
Keypoints
- Hundreds of compromised WordPress sites were found serving the same malicious injection across multiple regions and industries.
- The attack uses a fake Cloudflare âVerify you are humanâ prompt to convince victims to paste a Terminal command on macOS.
- The malicious page resolves its C2 URL from a Polygon smart contract, making takedowns harder through the use of EtherHiding.
- A full-screen iframe overlay is used to fingerprint the victimâs OS and deliver platform-specific content, with macOS receiving a full infostealer payload.
- The pasted command downloads a script from genomicsforge[.]com and pipes it directly to zsh, avoiding disk-based detection.
- The final payload steals macOS Keychain data, browser data, SSH keys, screenshots, and saved passwords via osascript.
- Stolen data is staged in /tmp/osalogging.zip and exfiltrated in chunks to genomicsforge[.]com/gate before the archive is deleted.
MITRE Techniques
- [T1189 ] Drive-by Compromise â Victims are lured through compromised websites that inject the malicious overlay and script (âcompromising any accessible WordPress site at scale, using each one as a delivery platform against its own visitorsâ).
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell â The pasted command runs a curl download piped into zsh on macOS (âdownloads and immediately pipes a shell script to zshâ).
- [T1105 ] Ingress Tool Transfer â The script retrieves additional payloads from attacker infrastructure (âa curl request to genomicsforge[.]com that downloadsâ).
- [T1027 ] Obfuscated Files or Information â The dropper is encoded and compressed to hinder detection (âgzip-compressed and Base64-encoded payloadâ).
- [T1027.001 ] Obfuscated Files or Information: Binary Padding â The payload is compressed and encoded before execution (âgzip-compressed and Base64-encoded payloadâ).
- [T1055 ] Process Injection â The article describes in-memory execution and self-evaluation that avoids writing files (âdecompresses and evals itself entirely in memoryâ).
- [T1113 ] Screen Capture â The infostealer can capture screenshots from the macOS system (âcapture screenshotsâ).
- [T1056.001 ] Input Capture: Keylogging â The malware silences I/O and steals entered sensitive data during user interaction (âsilences all input/output (I/O)â).
- [T1555.001 ] Credentials from Password Stores: Keychain â The payload accesses the macOS Keychain (âaccess the macOS Keychainâ).
- [T1053.005 ] Scheduled Task/Job: Launch Agent â Defenders are told to inspect LaunchAgents for persistence (âcheck ~/Library/LaunchAgents/ for unknown persistenceâ).
- [T1091 ] Replication Through Removable Media â Not mentioned.
- [T1021.004 ] Remote Services: SSH â The campaign targets SSH keys stored on the Mac (âplundering your Macâs Keychain, browser data, and SSH keysâ).
- [T1132.001 ] Data Encoding: Standard Encoding â The payload uses Base64 encoding as part of its staging (âBase64-encoded payloadâ).
- [T1090 ] Proxy â The attacker infrastructure is routed through multiple RPC endpoints for C2 resolution (âacross six redundant public remote procedure call (RPC) endpointsâ).
- [T1106 ] Native API â The script uses browser and OS features through platform-native components such as osascript (âexecuted via osascriptâ).
- [T1566.002 ] Phishing: Spearphishing Link â The fake verification page socially engineers the victim into performing the malicious action (âVerify you are humanâ ⌠âopen Terminal, paste a codeâ).
- [T1041 ] Exfiltration Over C2 Channel â Data is uploaded to attacker infrastructure in chunks (âexfiltrated to genomicsforge[.]com/gate in 10 MB chunksâ).
- [T1005 ] Data from Local System â The malware collects files, passwords, and browser artifacts from the local machine (âread files, access the macOS Keychainâ).
Indicators of Compromise
- [Domains] ClickFix overlay and payload infrastructure â superstarlog[.]click, superboomer[.]world, and 3 more overlay domains
- [Domain] Payload delivery and exfiltration C2 â genomicsforge[.]com
- [RPC endpoints] Blockchain C2 resolution via Polygon â polygon.drpc.org, polygon-bor-rpc.publicnode.com, and 4 more Polygon RPC endpoints
- [Smart contract address] C2 URL stored on Polygon â 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308
- [File path] Data staging file on macOS â /tmp/osalogging.zip
- [URL path] Exfiltration endpoint â /gate