A new, sophisticated phishing campaign targeting macOS users has been identified, employing fake compliance emails to deliver advanced malware designed to steal sensitive data. Researchers at Chainbase Lab and SlowMist have detailed the attack, which impersonates legitimate audit and compliance notifications to trick victims into compromising their systems. This threat highlights the evolving tactics of cybercriminals and the critical need for enhanced cybersecurity awareness, particularly concerning weaponized Word and PDF files.
The campaign begins with initial contact where attackers solicit basic company information, building a veneer of legitimacy before escalating their efforts. Subsequently, victims receive follow-up emails referencing urgent deadlines such as “FY2025 External Audit” or “Token Vesting Confirmation.” These emails contain seemingly innocuous attachments, masquerading as common document types like Word or PDF files, but are in fact malicious AppleScript files. These scripts, often using double extensions to obscure their true nature, serve as the entry point for a multi-stage malware infection, according to SlowMist analysts.
Deception and Evasion Through Fake System Prompts
The malware’s operational methodology relies heavily on social engineering and sophisticated evasion techniques. The initial AppleScript, identified as “Confirmation_Token_Vesting.docx.scpt” by researchers, executes in the background. To divert attention, it presents users with fake system update progress bars, creating a sense of normal system activity while malicious code operates unseen. This script meticulously gathers system information, including the CPU architecture and the specific macOS version, which is then transmitted to a command and control server located at the suspicious domain sevrrhst[.]com.
A key element of the attack chain involves deceptive system prompts designed to bypass macOS security measures. These fake dialog boxes are crafted to mimic legitimate macOS security alerts and even incorporate visual elements like Google avatars to enhance their perceived authenticity. The primary objective is to trick users into entering their administrator passwords. Once a password is provided, the malware validates it against the system and immediately exfiltrates the credentials, Base64 encoded, to the remote attacker-controlled server. This credential theft is a critical step in achieving deeper access to the compromised system and its data.
Beyond immediate credential harvesting, the malware employs advanced techniques to gain persistent access and control. It attempts to circumvent macOS’s privacy controls, known as Transparency, Consent, and Control (TCC), by directly injecting SQL statements into the system’s privacy database. This allows the malware to silently acquire sensitive permissions, including access to the camera, screen recording capabilities, and keyboard monitoring functions. Furthermore, the attackers establish a persistent Node.js runtime environment on the victim machine, enabling them to execute arbitrary commands remotely and maintain a long-term foothold.
The infrastructure supporting this ongoing phishing campaign is notable for its use of disposable domains, with many registered recently in late January 2026. The central command server, sevrrhst[.]com, is linked to the IP address 88.119.171.59. This IP address also hosts over ten other similar malicious domains, indicating a strategy of infrastructure reuse to maintain operational resilience and potentially distribute the attack across various vectors. The combination of social engineering, advanced evasion, and robust infrastructure suggests a well-resourced and determined threat actor.
Victims of this campaign are at significant risk of extensive data breaches and unauthorized system access. The ability of the malware to bypass security features and establish persistent remote access means that sensitive personal and corporate information could be compromised. Moving forward, cybersecurity authorities will likely continue to monitor the infrastructure associated with this campaign, aiming to disrupt its operations and warn potential targets. Users, particularly those on macOS, are strongly advised to exercise extreme caution with unsolicited emails, verify sender identities, and meticulously inspect all attachments before opening them, especially those related to compliance or financial matters.