- Attackers disguise emails as audits to trick macOS users into running malicious AppleScript attachments.
- Scripts steal passwords, bypass macOS privacy controls, and give attackers full remote access.
- Even trusted-seeming emails can be dangerous—disconnect, reset permissions, and scan your Mac if exposed.
A sophisticated phishing campaign has emerged targeting macOS users in the cryptocurrency and tech sectors. SlowMist, a cybersecurity firm, analyzed the attack after Chainbase Lab detected malicious emails disguised as “audit/compliance confirmation.”
As per the report, attackers used social engineering to lure victims by asking them to confirm their company’s legal English name. Subsequently, emails titled “FY2025 External Audit” or “Token Vesting Confirmation – deadline” delivered malicious Word and PDF attachments.
The campaign is especially harmful since it uses multi-stage fileless malware. Attackers are able to obtain complete control over compromised systems by tricking victims into opening attachments and running scripts on their own.
How the Attack Works
The email attachments, such as “Confirmation_Token_Vesting.docx.scpt,” appear as regular documents but are actually AppleScript files. Once opened, the scripts display fake macOS system update or repair windows to lower suspicion.
Besides visual deception, the scripts collect system information like CPU architecture, macOS version, and language, sending it to remote servers to decide which payload to deliver. Attackers then download additional scripts from domains like sevrrhst[.]com, executing malicious AppleScript that facilitates password theft, remote command execution, and dynamic payload delivery.
Advanced Evasion Techniques
The attack is more than just information theft. It makes an effort to get around the Transparency, Consent, and Control (TCC) safeguards of macOS. To covertly give themselves access to private regions, the scripts alter system folders and insert SQL queries into the TCC database. Documents, downloads, desktops, cameras, screen capture, and keyboard tracking are all included in this.
Additionally, the attackers use a Node.js backdoor that permits dynamic malware execution and remote control. When credentials are entered, the scripts verify them locally before stealing the data through Base64-encoded transfers. Pop-up dialogs really resemble system password prompts.
