Overview
- SentinelOne, which published its analysis Monday, detailed a multi‑stage Mac infostealer that begins on typo‑squatted Microsoft‑lookalike sites pushing fake WeChat or Miro installers.
- The attack uses the applescript:// link scheme to open Script Editor, prompts the user to click Run, and shows a bogus XProtectRemediator update while hidden commands pull payloads.
- It harvests browser passwords, password manager data, macOS Keychain items, Telegram sessions, and many crypto wallets, and it adds an AMOS‑style document grabber with chunked uploads capped around 150 MB.
- The malware maintains access by planting a fake GoogleUpdate app and a com.google.keystone.agent.plist LaunchAgent that runs every 60 seconds to fetch and execute new commands.
- Researchers urge users to avoid running scripts from untrusted pages, ignore prompts to open Script Editor for updates, install software from official sources, and watch for unusual AppleScript activity or unexpected LaunchAgents.