Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Matryoshka Malware Targets macOS with New Stealer Variant

Matryoshka Malware Targets macOS with New Stealer Variant

Posted on February 16, 2026 By CWS

A newly identified social engineering campaign is taking aim at macOS users, deploying a sophisticated stealer malware through an advanced form of the ClickFix attack. This strain, dubbed ‘Matryoshka’ after the Russian nesting dolls, employs layered obfuscation techniques to evade detection by security systems.

Innovative Attack Techniques

Matryoshka deceives users into running Terminal commands that mimic legitimate software repairs, effectively bypassing conventional security measures. By exploiting typosquatting domains, the attack ensnares users who mistype URLs, particularly those seeking software reviews. Victims redirected to these fraudulent sites are prompted to input a ‘fix’ command in their macOS Terminal.

Security analysts at Intego have tracked this malicious activity, noting the use of domains like comparisions[.]org, which closely resembles the legitimate comparisons.org through minor typographical changes.

Advanced Evasion Strategies

Unlike past ClickFix variants, Matryoshka utilizes sophisticated evasion techniques designed to thwart detection efforts. The malware’s payload remains encoded and compressed until execution, operating solely in memory. This strategy complicates file-based scans and static analysis, reducing the ability of researchers to identify the threat.

Upon execution, the loader accesses an AppleScript payload crafted to extract browser credentials and target cryptocurrency wallets such as Trezor Suite and Ledger Live. If direct credential theft is unsuccessful, the malware resorts to fake system prompts that persistently solicit passwords.

Infection Process and Mitigations

The infection chain of Matryoshka progresses through several phases, each engineered to avoid detection while ensuring the malware’s operational success. Victims executing the malicious Terminal command initiate a sequence that decodes and decompresses a hidden shell script, avoiding the creation of detectable file artifacts.

The malware employs various evasion tactics, such as detaching its main process to rapidly conclude, deceiving users into believing the operation is complete. It suppresses terminal output and redirects streams to minimize visible clues. Additionally, its command-and-control infrastructure demands specific request headers, misleading unauthorized scanners with generic errors.

Users are advised against pasting commands from unverified sources into Terminal, as legitimate updates should not require such actions. Organizations should focus on blocking typosquatting domains, monitoring Terminal execution patterns, and scrutinizing any suspicious behavior related to cryptocurrency applications.

Stay informed by following us on Google News, LinkedIn, and X for more updates. Consider setting CSN as a preferred source in Google for real-time notifications.

Cyber Security News Tags:AppleScript, browser credentials, ClickFix, cryptocurrency theft, cyber attack, Cybersecurity, Intego, Ledger Live, macOS, Malware, Matryoshka, security evasion, social engineering, Terminal commands, Trezor Suite, typosquatting

Post navigation

Previous Post: Luxury Brands Fined $25 Million in South Korea for Data Breaches
Next Post: Lithuania Strengthens Cybersecurity Against AI Fraud

Related Posts

Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Cyber Security News
Lighthouse Studio RCE Vulnerability Let Attackers Gain Access to Hosting Servers Lighthouse Studio RCE Vulnerability Let Attackers Gain Access to Hosting Servers Cyber Security News
15 Best Incident Response Tools 2025 15 Best Incident Response Tools 2025 Cyber Security News
Ubiquiti Releases Critical Updates for UniFi OS Vulnerabilities Ubiquiti Releases Critical Updates for UniFi OS Vulnerabilities Cyber Security News
CISA Warns Of Oracle E-Business Suite SSRF Vulnerability Actively Exploited In Attacks CISA Warns Of Oracle E-Business Suite SSRF Vulnerability Actively Exploited In Attacks Cyber Security News
Beware of North Korean Fake Job Platform Targeting U.S. Based AI-Developers Beware of North Korean Fake Job Platform Targeting U.S. Based AI-Developers Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Avalon Malware Framework Unveils CrownX Ransomware
  • Alibaba Considers Ban on AI Tool Over Security Concerns
  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Avalon Malware Framework Unveils CrownX Ransomware
  • Alibaba Considers Ban on AI Tool Over Security Concerns
  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark