Featured · 2026-05-22

ClickFix Edition 2: Ten Seconds of Forensic Evidence.

Post-execution forensics of an AMOS-like credential stealer on macOS 13: the unified log timeline, the TCC bypass, the kernel's unsigned module warnings, and the one thing the logs can't directly prove.

14 min read· read →
Recent posts
2026-05-22 ClickFix Edition 2: Ten Seconds of Forensic Evidence 14 min 2026-05-12 ClickFix on macOS: What Apple Events Tells You (and What It Doesn't Anymore) 12 min 2026-05-05 The 12-Minute Help Desk: Tracking the SNOW Suite 8 min