DARKTRACE researchers describe a macOS phishing campaign that uses social engineering, AppleScript loaders and an attempted abuse of the macOS Transparency, Consent and Control feature to gain privileged access. The infection chain starts with a phishing email that asks the user to download an AppleScript file masquerading as a Word document, with the malicious segment buried deep in the script to encourage userised execution.
The payload calls home to sevrrhst[.]com to fetch a second stage, saving a hidden file in ~/.ex[.]scpt and eventually exfiltrating credentials via a fake dialog box that prompts for a username and password. The attackers then attempt to forge TCC authorisations by manipulating code-signing requirements and bypassing integrity checks, allowing persistence through LaunchAgents and enabling actions via trusted binaries such as Terminal and osascript.
A subsequent C2 stage delivers a modular Node[.]js loader and JavaScript payload, with the final objective of long‑term access and data collection, including system information and continuous status reports back to the C2. The campaign illustrates how threat actors rely on trusted system components and social engineering to extend dwell time without exploiting macOS vulnerabilities.