MacOS Users Targeted by New Phishing Email Scam

MacOS Users Targeted by New Phishing Email Scam

Posted on By CWS

Key Points

  • A phishing campaign using fake compliance emails targets macOS users.
  • Attackers use social engineering and multi-stage payloads to steal data.
  • Malware disguises itself as legitimate system prompts to avoid detection.

Emerging Threat to macOS Users

A new phishing scam has been identified, targeting macOS users through deceptive compliance emails. Detected by Chainbase Lab, this sophisticated attack impersonates legitimate audit notifications to lure victims into a trap.

The campaign uses a combination of social engineering techniques and multi-stage fileless malware to extract credentials and maintain remote access on affected systems. Attackers initiate contact by requesting verification of company details, later sending emails purported to be from financial auditors.

Deceptive Tactics and Infection Process

The attack progresses through a series of strategic steps designed to deceive users into interacting with malicious documents. Initial communications seek to build trust, which is then exploited in follow-up emails referencing audit or token vesting deadlines.

These subsequent emails contain attachments disguised as Word or PDF files but are, in fact, AppleScript files using double extensions to mask their true purpose. Once opened, these files execute scripts that download further malicious payloads.

Malware Evasion and Persistence

To evade detection, the malware presents fake system dialogs that resemble macOS security alerts. These prompts trick users into providing admin passwords, which are then immediately exfiltrated to a remote server.

The malware also attempts to bypass macOS privacy protections by injecting SQL statements that grant itself extensive permissions, such as camera and keyboard access, ensuring long-term control over the infected machine.

The infrastructure of this phishing campaign relies on disposable domains registered in early 2026, with command servers hosted on IP addresses associated with multiple malicious domains.

Conclusion

This emerging threat highlights the need for increased vigilance among macOS users. Awareness and caution when dealing with unsolicited emails can help mitigate the risk of falling victim to such sophisticated phishing scams.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Italian Adviser Becomes Latest Target in Expanding Paragon Graphite Spyware Surveillance Case Italian Adviser Becomes Latest Target in Expanding Paragon Graphite Spyware Surveillance Case Cyber Security News
Obscure MCP API in Comet Browser Breaches User Trust, Enabling Full Device Control via AI Browsers Obscure MCP API in Comet Browser Breaches User Trust, Enabling Full Device Control via AI Browsers Cyber Security News
Researchers Bypassed Web Application Firewall With JS Injection with Parameter Pollution Researchers Bypassed Web Application Firewall With JS Injection with Parameter Pollution Cyber Security News
New Android Spyware Attacking Android Users Mimic as Signal and ToTok Apps New Android Spyware Attacking Android Users Mimic as Signal and ToTok Apps Cyber Security News
Vidar Stealer Bypassing Browser Security Via Direct Memory Injection to Steal Login Credentials Vidar Stealer Bypassing Browser Security Via Direct Memory Injection to Steal Login Credentials Cyber Security News
Threat Actors Allegedly Selling Microsoft Office 0-Day RCE Vulnerability on Hacking Forums Threat Actors Allegedly Selling Microsoft Office 0-Day RCE Vulnerability on Hacking Forums Cyber Security News