Sophisticated macOS Phishing Campaign Targets Users with Fake Compliance Emails
A new phishing campaign is targeting macOS users with a multi-stage malware attack disguised as compliance and audit notifications. Discovered by Chainbase Lab, the operation leverages social engineering to trick victims into executing malicious AppleScript files, leading to credential theft and persistent remote access.
The attack begins with seemingly innocuous emails requesting basic company details, such as legal names, to establish trust. Victims who respond receive follow-up messages with subject lines like "FY2025 External Audit" or "Token Vesting Confirmation", containing attachments masquerading as Word or PDF files. In reality, these are AppleScript files with double extensions (e.g., Confirmation_Token_Vesting.docx.scpt), designed to evade detection.
Researchers at SlowMist identified the malware’s infection chain, which starts with the AppleScript displaying fake macOS system prompts including software update progress bars to distract users while executing malicious code. The script collects system details (CPU architecture, macOS version) and downloads additional payloads from the domain sevrrhst[.]com.
To bypass security, the malware presents counterfeit permission dialogs featuring Google avatar elements, tricking users into entering administrator passwords. Once obtained, credentials are Base64-encoded and exfiltrated to the attacker’s server. The malware further evades macOS Transparency, Consent, and Control (TCC) protections by injecting SQL commands into the privacy database, granting itself camera access, screen recording, and keylogging capabilities.
Persistence is maintained via a Node.js runtime environment, allowing attackers to execute arbitrary commands. The campaign’s infrastructure relies on throwaway domains registered in January 2026, with the command server at sevrrhst[.]com (IP: 88.119.171.59) hosting multiple malicious domains for reuse.
Source: https://cybersecuritynews.com/beware-of-new-compliance-emails/
Moonlock cybersecurity rating report: https://www.rankiteo.com/company/moonlock
"id": "MOO1770130358",
"linkid": "moonlock",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Individual Users, Organizations'}],
'attack_vector': 'Email (Phishing), Malicious AppleScript Files',
'data_breach': {'data_exfiltration': 'Base64-encoded credentials exfiltrated '
"to attacker's server",
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'System Details',
'Camera Access',
'Screen Recording',
'Keylogging Data']},
'description': 'A new phishing campaign is targeting macOS users with a '
'multi-stage malware attack disguised as compliance and audit '
'notifications. The operation leverages social engineering to '
'trick victims into executing malicious AppleScript files, '
'leading to credential theft and persistent remote access.',
'impact': {'data_compromised': 'Credentials, System Details, Camera Access, '
'Screen Recording, Keylogging Data',
'identity_theft_risk': 'High',
'systems_affected': 'macOS Systems'},
'initial_access_broker': {'backdoors_established': 'Node.js Runtime '
'Environment for '
'Persistence',
'entry_point': 'Phishing Emails'},
'investigation_status': 'Ongoing',
'motivation': 'Credential Theft, Remote Access, Data Exfiltration',
'post_incident_analysis': {'root_causes': 'Social Engineering, macOS TCC '
'Bypass, Fake Permission Dialogs'},
'references': [{'source': 'Chainbase Lab'}, {'source': 'SlowMist'}],
'response': {'third_party_assistance': 'Chainbase Lab, SlowMist'},
'title': 'Sophisticated macOS Phishing Campaign Targets Users with Fake '
'Compliance Emails',
'type': 'Phishing, Malware',
'vulnerability_exploited': 'Social Engineering, macOS TCC Bypass (SQL '
'Injection into Privacy Database)'}