← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
AppleScript Abuse: Unpacking a macOS Phishing Campaign
WHITE PetrP.73 2026-02-07 Modified: 2026-03-09
25
IOCs
MEDIUM VOLUME
A recent malware campaign targeting macOS users has been identified, leveraging social engineering and the abuse of the macOS Transparency, Consent, and Control (TCC) feature. The primary attack vector begins with a phishing email that entices users to download an AppleScript file disguised as a genuine Microsoft document, titled "Confirmation_Token_Vesting.docx.scpt". This technique is designed to exploit the victim's trust, prompting them to execute the file. The core of the attack utilizes AppleScript as a loader, effectively bypassing traditional security measures by manipulating the TCC authorizations. By doing so, the threat actor is able to achieve persistent access to the compromised network without the need to exploit any inherent software vulnerabilities. This method highlights the risks associated with social engineering and the potential for unauthorized access through trusted user interfaces.
snappybeevirtualprotectvirtualallocdllmainfollowdeed ratsalt typhoontrendmicronovembercobalt strikepythonmalwareloaderjavascriptdarktracedarktrace identifieswindowsphishingtara gould
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
JavaScript Darktrace Darktrace Identifies Cobalt Strike Windows Phishing Tara Gould SnappyBee
Indicators of Compromise (25)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 319d905b83bf9856b84340493c828a0c 2026-02-07
FileHash-MD5 43f3f328248da7bda95407968604ff0b MD5 of b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac 2026-02-07
FileHash-MD5 505b55c2b68e32acb5ad13588e1491a5 MD5 of 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b 2026-02-07
FileHash-MD5 94b7392133935d2034b8169b9ce50764 2026-02-07
FileHash-MD5 b706f4806dc88611873cadeb3ad1ff97 MD5 of 1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296 2026-02-07
FileHash-MD5 d3539d71a12fe640f3af8d6fb4c680fd 2026-02-07
FileHash-SHA1 153219368080efd938df03ebd119cf1dedf341f9 SHA1 of 319d905b83bf9856b84340493c828a0c 2026-02-07
FileHash-SHA1 5e6f0888e6e4ec4145c29a31c46c9c1a33c8a4cf SHA1 of d3539d71a12fe640f3af8d6fb4c680fd 2026-02-07
FileHash-SHA1 7d9ea7c8934d293429103fd0f8f58b370bd1249b SHA1 of b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac 2026-02-07
FileHash-SHA1 9218e2c37c339527736cdc9d9aad88de728931a3 SHA1 of 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b 2026-02-07
FileHash-SHA1 dfe752f103e8e0cdb6ee419a5e753a451488420c SHA1 of 1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296 2026-02-07
FileHash-SHA256 1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296 2026-02-07
FileHash-SHA256 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b 2026-02-07
FileHash-SHA256 3e4d35903c51db3da8d4bd77491b5c181b7361aaf152609d03a1e2bb86faee43 SHA256 of d3539d71a12fe640f3af8d6fb4c680fd 2026-02-07
FileHash-SHA256 60dfa5b92193cdc80fd759cd5a228527b1019c4706e5a1ed2e9bce3c232ef531 SHA256 of 319d905b83bf9856b84340493c828a0c 2026-02-07
FileHash-SHA256 b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac 2026-02-07
URL https://sevrrhst.com/css/controller.php?req=contact&ac= 2026-02-07
URL https://sevrrhst.com/inc/register.php?req=init 2026-02-07
URL https://sevrrhst.com/inc/register.php?req=next 2026-02-07
URL https://sevrrhst.com/inc/register.php?req=next. 2026-02-07
URL https://stomcs.com/inc/register.php?req=next 2026-02-07
URL https://techcross-es.com 2026-02-07
domain sevrrhst.com 2026-02-07
domain stomcs.com 2026-02-07
domain techcross-es.com 2026-02-07
References (1)
↗ https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign