Beware: Sophisticated Phishing Campaign Targets macOS Users with Fake Compliance Emails
A new and sophisticated phishing campaign has been identified, specifically targeting macOS users through deceptive compliance-related emails. This campaign employs advanced social engineering tactics combined with multi-stage, fileless malware to steal sensitive credentials and establish persistent remote access on compromised systems.
Initial Contact and Social Engineering Tactics
The attack begins with an email requesting the recipient to confirm their company’s legal name. This seemingly innocuous request is designed to establish trust and legitimacy. Once the victim responds, the attackers follow up with emails that appear to be from financial auditors or token vesting administrators. These messages often carry subject lines such as FY2025 External Audit or Token Vesting Confirmation, creating a sense of urgency and importance.
Malicious Attachments and Execution
The follow-up emails contain attachments disguised as Word or PDF documents. However, these files are actually AppleScript files with double extensions (e.g., Confirmation_Token_Vesting.docx.scpt), designed to conceal their true nature. When opened, these scripts initiate the malware infection process.
Multi-Stage Infection Process
Upon execution, the initial AppleScript displays a fake system settings window with a software update progress bar. This visual distraction allows the malware to run malicious code in the background without raising suspicion. The script collects system information, including CPU architecture and macOS version, and then downloads additional payloads from a remote server hosted at sevrrhst[.]com.
Credential Theft and Persistence Mechanisms
The malware employs deceptive system permission dialogs that mimic legitimate macOS security alerts, often incorporating familiar elements like Google avatars to appear authentic. These fake prompts trick users into entering their administrator passwords. Once obtained, the credentials are immediately exfiltrated to the attacker’s server using Base64 encoding.
Beyond credential theft, the malware attempts to bypass macOS’s Transparency, Consent, and Control (TCC) protections by injecting SQL statements directly into the privacy database. This technique silently grants the malware access to the camera, screen recording, and keyboard monitoring capabilities, ensuring long-term persistence and control over the compromised system.
Infrastructure and Indicators of Compromise
The attackers utilize disposable domains registered in late January 2026 to support this campaign. The command-and-control server at sevrrhst[.]com resolves to IP address 88.119.171.59, which hosts multiple similar malicious domains, indicating a pattern of infrastructure reuse.
Recommendations for Users
To protect against such sophisticated phishing campaigns, users are advised to:
– Exercise Caution with Unsolicited Emails: Be wary of unexpected emails requesting company information or containing urgent compliance-related messages.
– Verify Sender Authenticity: Confirm the legitimacy of the sender by contacting them through official channels before responding or opening attachments.
– Inspect File Extensions Carefully: Be cautious of files with double extensions or unfamiliar formats, as they may be disguised malicious scripts.
– Keep Systems Updated: Regularly update macOS and installed applications to patch known vulnerabilities.
– Use Security Software: Employ reputable antivirus and anti-malware solutions to detect and prevent malicious activities.
By remaining vigilant and adopting these best practices, users can significantly reduce the risk of falling victim to such advanced phishing attacks.
