macOS Threat: AppleScript (.scpt) Files Emerge as New Stealth Vector for Stealer Malware

A new malware distribution trend is emerging across the macOS threat landscape, according to fresh research from Pepe Berba, Threat Detection & Hunting specialist at Canva. Attackers are now increasingly abusing AppleScript (.scpt) files to disguise malware as realistic-looking documents and installers — a technique historically associated with advanced persistent threat (APT) activity but now spreading into mass-distributed macOS stealers like MacSync and Odyssey.

Berba’s analysis highlights a sharp rise in malicious .scpt files masquerading as fake Office documents, Zoom updates, and Teams SDK installers, leveraging macOS’s trust in AppleScript and the Script Editor application.

Apple’s tightening of Gatekeeper in August 2024 — specifically the removal of the once-popular “right-click and open” bypass — has forced threat actors to evolve.

Berba outlines two well-known fallback methods—copy-paste-to-terminal delivery and drag-to-terminal DMGs—but warns that .scpt abuse is the next—and more convincing—evolution.

While AppleScript-based malware isn’t new, its growing popularity in the cybercriminal underground is alarming.

Threat actors now embed malicious payloads inside compiled or plaintext AppleScript files that appear legitimate:

• Fake Word or PowerPoint proposals
• Fake Chrome or Zoom update scripts
• Malicious installers hidden inside DMGs
• Fake Homebrew installer prompts
• Stealer malware delivered via deceptive landing pages

One notable example involved fake documents such as:

• Apeiron_Token_Transfer_Proposal.docx.scpt
• Stable1 Investment Proposal.pptx.scpt

Berba confirms, “Threat actors also used custom icons to make these fake documents even more convincing.”

By design, macOS opens .scpt files in Script Editor.app, not a text viewer. This helps attackers hide malicious content under dozens of blank lines — pushing the harmful code out of view while placing deceptive instructions at the top.

“Comments in the script encourage the user to run it, while hiding the real code behind a large number of blank lines.”

Once opened, pressing ⌘+R immediately executes the embedded malware — even when the file is quarantined by Gatekeeper.

This makes the technique extremely dangerous for unsuspecting users.

Berba reports that techniques once tied to high-grade espionage actors like BlueNoroff are now appearing in low-grade commercial stealers.

“We’ve found some instances of this technique being used by commodity malware, like Odyssey Stealer and MacSync Stealer. Increasing commodity usage suggests trickle-down of APT techniques.”

This democratization of advanced macOS tradecraft signals a worsening threat environment for everyday users and enterprises alike.

Attackers have been distributing convincing fake installers, including:

• MSTeamsUpdate.scpt
• Zoom SDK Update.scpt
• InstallSoftZone.scpt
• Microsoft.TeamsSDK.scpt

Alarmingly, Berba notes that several of these scripts still have zero detections on VirusTotal, giving attackers a significant advantage.

One of the most concerning trends Berba highlights is the abuse of macOS resource forks to equip malicious files with highly convincing custom icons. This functionality applies to any file type — .command, .txt, .js, or extensionless files — dramatically increasing the potential for deception.

Related Posts:

• Odyssey Stealer: macOS Under Attack by ClickFix-Driven Infostealer
• North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft
• Beyond Cracked Apps: New macOS Malware Is Using the Terminal to Steal Data
• NimDoor: North Korean APT Uses Nim-Based Malware for Stealthy Web3 & Crypto Attacks on macOS!
• Kubernetes Policy Enforcement at Risk: OPA Gatekeeper Bypass Exposes Security Flaws