Ddos 
Mac users, often confident in the “walled garden” security of their devices, are facing a new threat that doesn’t rely on cracking code, but on cracking human trust. A new investigation by Darktrace security researchers has uncovered a sophisticated multi-stage malware campaign that uses a fake “Compatibility Wizard” to trick victims into handing over the keys to their privacy settings.
The campaign highlights a growing trend in the Apple ecosystem: as macOS hardens its defenses with tools like Gatekeeper and System Integrity Protection (SIP), attackers are pivoting away from complex exploits and toward social engineering.
The attack begins with a phishing email that appears strictly business. The lure is a file named Confirmation_Token_Vesting.docx.scpt, masquerading as a legitimate Microsoft Word document. However, the .scpt extension reveals its true nature: it is an AppleScript file, a powerful automation tool built into macOS.
When the victim opens the file, they don’t get a document. Instead, they are greeted with a fake error message claiming the file “couldn’t be opened due to a compatibility issue.” The prompt offers a helpful solution: “Launching the ‘Compatibility Wizard’ with (or +R) will resolve the issue”.
This instruction is the trap. By following the prompt, the user is unknowingly authorizing the malware to execute malicious commands.
The core goal of this campaign is to bypass macOS’s Transparency, Consent, and Control (TCC) framework—the system that asks you if an app can access your camera, microphone, or files.
Instead of finding a technical vulnerability to bypass TCC, the attackers simply ask the user to bypass it for them.
“As a result, macOS threats rely more heavily on social engineering instead of vulnerability exploitation to deliver payloads,” the Darktrace report notes.
By creating a sense of urgency and offering a “fix” for a technical glitch, the attackers manipulate the user into granting permissions that allow the malware to establish persistence via LaunchAgents, ensuring it survives system reboots.
Once the user has been tricked, the malware drops its payload: a modular loader built on Node.js. This choice of technology allows for flexibility and stealth.
“The malware establishes persistence via LaunchAgents and deploys a modular Node.js loader capable of executing binaries delivered from a remote command-and-control (C2) server,” the researchers explain.
This loader functions as a command loop, constantly checking in with the attacker’s server (identified as sevrrhst[.]com) for new instructions. It downloads a Base64-encoded JavaScript file named addon.js, which then retrieves and executes a binary payload called node_addon silently in the background.
While this specific campaign’s final payload was not fully active at the time of analysis, the implications are clear. If the initial social engineering succeeds, the malware could access sensitive resources like the camera or screen capture without ever triggering another warning prompt.
“This campaign shows how a malicious threat actor can use an AppleScript loader to exploit user trust and manipulate TCC authorization mechanisms,” Darktrace concludes.
Related Posts:
- CVSS 9.8 Flaw in macOS Allows Apps to Access Protected User Data, PoC Available
- macOS Threat: AppleScript (.scpt) Files Emerge as New Stealth Vector for Stealer Malware
- North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft
- Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
