New "Matryoshka" Variant of ClickFix Campaign Targets macOS Users with Advanced Evasion Tactics
A recently uncovered evolution of the ClickFix social engineering campaign dubbed Matryoshka is employing sophisticated nested obfuscation techniques to compromise macOS systems. The attack leverages typosquatting, fileless execution, and API-gated communication to evade detection while stealing sensitive data, including passwords and cryptocurrency wallet credentials.
Infection Chain & Attack Flow
The campaign begins with typosquatting, where attackers register domains mimicking legitimate sites (e.g., comparisions[.]org instead of comparisons.org). Victims redirected to these fake sites encounter a prompt instructing them to copy and paste a malicious Terminal command, bypassing traditional malware delivery methods.
Once executed, the attack unfolds in three stages:
- Clipboard Injection (Stage 0): The pasted command fetches a rogue shell script (rogue.sh) from an external server, which decodes and decompresses a base64-encoded payload in-memory avoiding disk-based detection.
- In-Memory Decode & Decompression (Stage 1): The payload is executed without writing to disk, further reducing visibility to security tools.
- API-Gated Loader (Stage 2): The malware loader communicates with a command-and-control (C2) server (barbermoo[.]xyz) using a custom header (api-key: 5190ef17…) to mask its activity. It suppresses output to evade monitoring.
Payload Objectives
The final payload deploys an AppleScript designed to:
- Steal passwords via a fake "System Preferences" phishing dialog if automated credential capture fails.
- Target cryptocurrency wallets (e.g., Trezor Suite, Ledger Live) by either replacing the application or tampering with its files to bypass integrity checks.
Stolen data is staged in /tmp/osalogging.zip before exfiltration to the attacker’s server.
Detection & Artifacts
While Matryoshka’s fileless execution complicates detection, security teams can monitor for:
- Suspicious network activity (e.g., connections to barbermoo[.]xyz or macfilesendstream[.]com).
- Unexpected AppleScript executions (osascript).
- Unauthorized modifications to crypto wallet applications or staging files in /tmp/.
Key Indicators
- C2 Domain: barbermoo[.]xyz
- Typosquatting Domain: comparisions[.]org
- SHA-256 Hashes:
- 62ca9538889b767b1c3b93e76a32fb4469a2486cb3ccb5fb5fa8beb2dd0c2b90 (sample)
- d675bff1b895b1a231c86ace9d7a39d5704e84c4bc015525b2a9c80c39158338 (rogue.sh)
- 48770b6493f2b9b9e1d9bdbf482ed981e709bd03e53885ff992121af16f76a09 (inner loader)
The Matryoshka variant underscores the growing sophistication of macOS-targeted attacks, combining social engineering with advanced evasion techniques to bypass traditional defenses.
Source: https://cyberpress.org/matryoshka-steals-data-from-macos/
Trezor TPRM report: https://www.rankiteo.com/company/trezor
"id": "tre1771316775",
"linkid": "trezor",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Individual Users, Cryptocurrency Wallet '
'Users'}],
'attack_vector': 'Typosquatting, Malicious Terminal Command, Fileless '
'Execution',
'data_breach': {'data_exfiltration': 'Staged in /tmp/osalogging.zip before '
'exfiltration to attacker’s server',
'personally_identifiable_information': 'Passwords, '
'Cryptocurrency Wallet '
'Credentials',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Passwords, Cryptocurrency Wallet '
'Credentials'},
'description': 'A recently uncovered evolution of the ClickFix social '
'engineering campaign dubbed Matryoshka is employing '
'sophisticated nested obfuscation techniques to compromise '
'macOS systems. The attack leverages typosquatting, fileless '
'execution, and API-gated communication to evade detection '
'while stealing sensitive data, including passwords and '
'cryptocurrency wallet credentials.',
'impact': {'data_compromised': 'Passwords, Cryptocurrency Wallet Credentials',
'identity_theft_risk': 'High',
'payment_information_risk': 'High (Cryptocurrency Wallets)',
'systems_affected': 'macOS Systems'},
'initial_access_broker': {'entry_point': 'Typosquatting Domains (e.g., '
'comparisions[.]org)',
'high_value_targets': 'Cryptocurrency Wallet Users'},
'lessons_learned': 'The Matryoshka variant underscores the growing '
'sophistication of macOS-targeted attacks, combining '
'social engineering with advanced evasion techniques to '
'bypass traditional defenses.',
'motivation': 'Data Theft, Financial Gain',
'post_incident_analysis': {'root_causes': 'Social Engineering (Malicious '
'Terminal Command), Fileless '
'Execution, API-Gated '
'Communication'},
'recommendations': ['Monitor for suspicious network activity (e.g., '
'connections to barbermoo[.]xyz or '
'macfilesendstream[.]com).',
'Detect unexpected AppleScript executions (osascript).',
'Check for unauthorized modifications to crypto wallet '
'applications or staging files in /tmp/.'],
'references': [{'source': 'Cyber Incident Report'}],
'response': {'enhanced_monitoring': 'Monitoring for suspicious network '
'activity (e.g., connections to '
'barbermoo[.]xyz or '
'macfilesendstream[.]com), unexpected '
'AppleScript executions, and unauthorized '
'modifications to crypto wallet '
'applications.'},
'title': "New 'Matryoshka' Variant of ClickFix Campaign Targets macOS Users "
'with Advanced Evasion Tactics',
'type': 'Social Engineering, Malware, Data Theft'}