Overview
- Researchers publicly disclosed the campaign on Thursday when Jamf Threat Labs and follow-up teardowns showed the lure came from lookalike Maccy sites that deliver a disk image containing a compiled AppleScript named Maccy.scpt.
- The AppleScript opens in Script Editor and runs a self-contained JXA downloader that bypasses common quarantine checks and fetches a gated, encrypted second-stage payload keyed to host details such as CPU architecture and locale.
- The Rust second-stage validates any entered login password through macOS Pluggable Authentication Modules before keeping it and then harvests browser cookies, saved credentials, SQLite databases, clipboard contents and wallet data for encrypted exfiltration.
- Analysts warn the campaign uses native APIs and runtime-loaded frameworks rather than shell commands to reduce detection signals, and it hides persistence by registering fake Finder or Software Update bundles as login items.
- Security vendors have published IOCs and hunting guidance, Maccy’s developer posted warnings about fake sites, and defenders are advised to verify download sources, treat unexpected password prompts as suspicious, and hunt for Finder-shaped processes running outside the system folder.