For those who answered "What is ClickFix" here is a short video including a demo and walk-through. And, for those who answered indicating they are thinking about doing ClickFix penetration tests, this video provides a demo of BeaconatorC2 payloads that will give you a jump-start (see links/repo). Also, looping in some people I respect a lot to weigh in, not because I think we have it figured out, but so we can all ring a very loud bell around ClickFix/Fake CAPTCHA to start a broader conversation. @UK_Daniel_Card, @0xTib3rius, @techspence, @Cl0uddStrife, @AccidentalCISO, @NotNordgaren, @BushidoToken, @corewarrior, @NathanMcNulty, @ZackKorman, @kuzushi, @whereduck @_JohnHammond has done 100x better videos on this, but the problem persists, so throwing my own crood take into the mix to see if it helps. Special thanks to @Shammahwoods and @christian_tail for amazing work/collaboration on this research. My hope is that people start testing for this, talking about this, and working toward resolution. Disclaimer: For those new to my videos, they are uncut, no edits, and usually single take/yolo. Buyer beware. youtu.be/1SyoQ2qJ2Ok

Bloody hell 🤣🤣🤣

How Stormtroopers say “I love you.” 🥰

Any time I see @techspence present, I think holy shit, he’s such a professional I’ve taken many courses but this guy is on another level This is his attacking AD course on @_ContinuumCon_ (live now)

Matthew Nguyen starting the party for ContinuumCon Day 3, walking us through using Malcat (😻), FakeNet, and more for some sweet malware analysis! continuumcon.com

ContinuumCon 2026 - Day 3 x.com/i/broadcasts/1rxmqqNlQ…

Someone showed me this on Telegram. It is very silly. It is clearly masquerading as "Free GPT and Claude". Anyone with half a brain knows this is malicious, but people will still fall for it. People asked what it is. I have some free time. I poked it with a stick, People discussing it said it is XMRig. That is not entirely accurate. This is not XMRig. This is flagged as XMRig from Triage and VirusTotal because it does indeed drop XMRig, but it is much more than that. This is a (maybe new) information stealer packaged with XMRig as a double whammy. This malware is interesting because of a few things: 1. It is position independent, they care enough to be evasive and strip out a majority of dependencies. This is usually indicative of more serious malware. 2. They .zip it delivers from the "Free GPT and Claude" is intentionally bloated (payload inflation). It is 97MB, which may evade a majority of anti-malware product (initially) due to it's large size. It packages itself with FFMpeg and various other audio codecs. 3. It accesses Microsoft Outlook e-mails, accesses Chrome stuff using the COM IElevationService, looks for any SFTP credentials It (currently) does not have any matching YARA rules from AV vendors. The closest approximation is LummaStealer. My knowledge base on the Information Stealer scene is out-of-date (it changes a lot). However, on first initial glance this appears like a new information stealer. Again, this should be taken with a grain of salt. It's also worth noting the domain it exfiltrates to does not appear in any malware reports. The domain is unique, and the payload does not match any existing YARA rules (it's behavioral characteristics do, but not a specific malware family), so this is actually a pretty interesting sample. A lookup though shows this is an emerging malware campaign. It first appeared around the end of May. This is (probably) a known Threat Actor who has switched it up a bit (or it's MaaS, whatever though). The malware appears online masquerading as various products. - ecore-sourceproject - LogiDA - GPT_Claude_Free - CortexSystems.v3.4.2.Stable - TikTokBot-v2.2 - CortexLauncher Funny enough, this malware would have been much, much, much, MUCH more evasive if they didn't package it with XMRig. VirusTotal and Triage immediately flagged it because after it establishes persistence, and steals any credentials on the machine, it pulls XMRig to turn into a cryptocurrency miner. If they did not pull the XMRig binary this stealer would be much more quiet. I have no idea why they decided to burn their OPSEC with XMRig. C2: dfwioeiofwr-dot-info Payload (and associated families from the C2) 027d576c6b5512d661081aaeeeb8e611f95a469ccf5ba35e0a390e8814334d05 5dcc599cf48227e65ea49d2708d08704fd1cb7e3b89736718d0d8e557857c49c 5e8b40b0b7512e1a1355374fb0cf34bfdf1260ebdb80a353c8f9da2490beeed3 6a0c332296b017220fc2b522da653fce36a8a3c5c79de0200d61c5fc31eb89ce a2f8ebf65d54a4d9c8b720d01da77ad796683f1a5b8bd3d08738d7df4365f8a 9d4aaa9842c947756b7c128c432292732098fb71d247ef0bce60368563572da3 c4caca93e2291c018e701c217b7d232c534e4dd142042a59aa4d32754ef3022a

You can just do things.

Hash is extra good today.

Exactly. There will always be something “new” looming around the corner. It’s impossible to account for it all. But you can be better prepared to handle it by doing what we know works well, now. Great talk!

To paraphrase one of my favorite highlights, we solve these agent problems with good security fundamentals, not with complex abstract philosophies none of us really understand. Or as @techspence just added in Q&A, doing the basics right is the answer. That said, when we consider the basics, we need to layer in the newer knowledge of how agents behave, what trust boundaries exist, and how it works when these trust boundaries are abused for escape and takeover. If you missed this one, be sure to go back and watch it / explore the workshop.

The legend @ZackKorman is live!! Go check out AI sandbox escaping shenanagins!! ContinuumCon 2026 - Day 2 youtube.com/live/eaksNdtMpBE… via @YouTube

Come listen to me talk about AI agent sandbox escapes. Live an hour from now. For those of you too young to remember, AI was a technology we used to have before the government made it illegal.

Hello friends. I published my first article on Medium. medium.com/p/your-ir-plan-is… My plan is to turn this into a mini series and hopefully help someone looking for guidance on incident response management. Not just from the framework perspective but from practitioners. This is also for me to practice writing so thanks in advance for any feedback.

Quick reminder that I have a ContinuumCon workshop tomorrow (1:15pm ET) on escaping AI agent sandboxes. Workshop so dangerous that my own product keeps alerting on my "research".

If you want some no BS, down to earth, seriously awesome guidance on security engineering, then this is the workshop for you. If you do any coding whatsoever this will be beneficial to watch and learn. Also solst is low-key funny too, always fun to watch him do his thing

Great group of #CyberSecurity experts you should follow on X. You'll be glad you did!

I don't understand. Anthropic have access to Mythos level AI models internally and not even those models could tell them how to implement a nationality level block on their user base. 😭😭😭 So much for AGI.

Play stupid games you win stupid prizes.