THE Daily CyberSecurity reports a new macOS campaign that uses a fake “Compatibility Wizard” to trick users into bypassing macOS’s Transparency, Consent, and Control (TCC) framework, enabling the malware to access sensitive resources. The infection starts with a phishing email offering a file named Confirmation_Token_Vesting.docx[.]scpt, which is actually an AppleScript that prompts the user to run the script with a message about a compatibility issue.
By following the prompt, the victim unwittingly authorises the malware to execute commands and establish persistence via LaunchAgents. The payload is a modular loader built on Node[.]js that can execute binaries delivered from a remote command-and-control server, downloading a Base64-encoded JavaScript file named addon[.]js to retrieve and run a binary payload called node_addon in the background.
The researchers note that the final payload was not fully active at analysis time, but if successful, the campaign could enable access to devices’ camera or screen capture without further prompts, illustrating how social engineering is used to exploit trust rather than technical flaws, according to Darktrace. The attackers’ server is identified in the report as sevrrhst[.]com.