A newly observed phishing campaign is abusing fake “audit/compliance confirmation” emails to target macOS users and steal highly sensitive data.
The campaign uses convincing business-themed lures and malicious attachments that masquerade as Word or PDF files to trick employees into executing an AppleScript-based payload.
Attackers begin by sending emails asking recipients to “confirm the company’s legal English name,” then follow up with subjects such as “FY2025 External Audit” or “Token Vesting Confirmation submission deadline.”
Chainbase Lab first detected suspicious messages posing as routine corporate compliance checks and shared the desensitized samples with the SlowMist security team for joint analysis.
These messages include files like “Confirmation_Token_Vesting.docx.scpt,” which appear to be standard DOCX documents but are actually AppleScript (.scpt) files hidden behind a double extension.
Fake Compliance Notices on the Rise
Once executed, the script launches a multi-stage, largely fileless infection chain that is tailored specifically for macOS.
The initial AppleScript stage is responsible for staging the rest of the attack. It opens macOS System Settings and navigates to Software Update to create the illusion of a legitimate system update or repair process, lowering the victim’s suspicion.
At the same time, it collects system details such as CPU architecture (Intel vs Apple Silicon), macOS version, and system language, then sends this profiling data to a remote server so the attacker can deliver the most appropriate payload.
It also downloads and executes additional malicious code from the domain sevrrhst[.]com and cleans up traces to hinder forensic analysis.
The downloaded second-stage AppleScript adds powerful data theft and remote control capabilities. It first displays a fake progress bar claiming to “fix system update issues” or “resolve document viewer problems.”
While this fake task runs, the malware displays highly realistic macOS-style permission and password prompts, even incorporating Google avatar elements to appear trustworthy.
When users enter their password, the script validates it using the dscl command and, if correct, Base64-encodes the username and password and exfiltrates them via curl to sevrrhst[.]com.
To deepen its foothold, the script attempts to bypass macOS’s Transparency, Consent, and Control (TCC) protections by tampering with the TCC privacy database.
Real-World Impact
It tries to rename TCC-related directories such as com.apple.TCC to evade monitoring and directly injects SQL statements to silently grant itself, Bash, Terminal, and script editors broad permissions.
These permissions include access to Downloads, Documents, Desktop, external disks, as well as sensitive controls like camera, screen recording, keyboard event monitoring, and Accessibility, effectively turning the system into a fully surveilled environment.
The malware then establishes persistence and a backdoor channel. It downloads encrypted data named “origin,” decodes and executes it, and sets up communication with its command-and-control (C2) infrastructure.
After preparing a Node.js runtime, it requests and runs a core script, index.js, which inventories system version, CPU, disk, network, and process information before sending it back to the C2 server.
Threat intelligence shows that sevrrhst[.]com was registered on January 23, 2026, uses a free TLS certificate, and exhibits fast-flux or throwaway infrastructure behavior.
Based on this telemetry, the server can deliver further JavaScript code, which is executed dynamically via eval, enabling continuous feature expansion and long-term remote command execution.
It currently resolves to 88.119.171.59, which is linked to more than 10 related malicious domains, including tattomc[.]com and stomcs[.]com, indicating shared attacker infrastructure and ongoing operations.
This campaign is more than a basic info-stealer; it represents a multi-stage intrusion chain that abuses legitimate system tools, relies on dynamic code delivery, and uses fileless techniques to evade static signature-based detection.
Organizations should train staff to be skeptical of unexpected “compliance” or “audit” emails requesting document review or password entry, especially when attachments use double extensions or trigger unusual system prompts.
Suspected victims should immediately disconnect affected macOS systems from the network, reset the TCC database to revoke unauthorized permissions, and terminate any suspicious Node.js or script-driven processes running from hidden directories, followed by a full incident response investigation.
IOCs
| Filename | SHA256 | URL | C2 / Domain | IP Address |
|---|---|---|---|---|
| Confirmation_Token_Vesting.docx.scpt | 3e4d35903c51db3da8d4bd77491b5c181b7361aaf152609d03a1e2bb86faee43 | https://sevrrhst[.]com/css/controller.php | sevrrhst[.]com | 88.119.171.59 |
| env_arm.zip | f9e0376114c57d659025ceb46f1ef48aa80b8af5909b2de0cf80e88040fef345 | https://sevrrhst[.]com/inc/register.php | sevrrhst[.]com | 88.119.171.59 |
| index.js | 0f1e457488fe799dee7ace7e1bc2df4c1793245f334a4298035652ebeb249414 | — | sevrrhst[.]com | 88.119.171.59 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.