Advanced malware is being distributed via phony compliance emails in a sophisticated phishing campaign that targets macOS users This article explores malicious attachments messages. . This campaign, which poses as authentic audit and compliance notifications to trick users, was recently discovered by Chainbase Lab.

Learn more about the WordPress security plugin exploit. Consulting for computer security Taking advantage of Software for endpoint detection and response Malware penetration testers for Windows security software Guide to Exploited Hacker Tools Social engineering and multi-stage fileless payloads are combined in the attack chain to obtain credentials and create long-term remote access on target computers. Attackers begin by asking users to verify the legal name of their company. They then send malicious attachments along with messages purporting to be from token vesting administrators or financial auditors.

Users are tricked into opening weaponized documents by a series of well-planned steps.

Before the second wave arrives, initial emails ask recipients for basic company information in order to build trust. Attackers send follow-up messages with subject lines mentioning "FY2025 External Audit" or "Token Vesting Confirmation" deadlines when victims reply. These emails include attachments that are actually AppleScript files with double extensions to conceal their true nature, masquerading as Word or PDF files.

The malware uses a multi-stage infection process, according to SlowMist analysts, with the first AppleScript file acting as the gateway for downloading and running more malicious code. The file "Confirmation_Token_Vesting.docx.scpt," which looks authentic but runs as a script, is the malware's main infection vector, according to SlowMist researchers.

To divert users' attention while executing malicious code in the background, the first-stage AppleScript opens fictitious system settings windows with software update progress bars. File in AppleScript (Source: Medium) After gathering system data, such as CPU architecture and macOS version, the script downloads more payloads from the dubious domain sevrrhst[.]com. Evasion of Deception Using False System Prompts Displaying convincing system permission dialogs that mimic macOS security alerts is a key component of the malware's detection evasion strategy.

index.js (Source – Medium) Users are tricked into entering their administrator passwords by these phony prompts that use Google avatar elements to look authentic. The script instantly exfiltrates the credentials to the remote server using Base64 encoding after verifying the password against the system.

Analysis of the domain sevrrhst[. ]com (Source: Medium) In addition to stealing credentials, the malware tries to get around macOS TCC security measures by inserting SQL statements straight into the privacy database. This allows the malware to covertly grant itself camera access, screen recording rights, and keyboard monitoring capabilities.

Through a Node.js runtime environment set up on the compromised machine, this persistence mechanism enables the attacker to retain long-term access and carry out arbitrary commands. With the command server at sevrrhst[. ]com resolving to IP 88.119.171.59, which hosts more than ten similar malicious domains used for infrastructure reuse, the campaign's infrastructure is built on disposable domains that were registered in late January 2026. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.