AppleScript-Driven macOS Intrusions Exploiting User Deception

Darktrace's Threat Research team identified a pattern of macOS intrusions leveraging ClickFix-style user deception. Attackers initiated the compromise through user-assisted execution of malicious updates, transitioning to AppleScript for post-compromise activities. The observed behaviors included HTTP POST requests to rare endpoints and unusual SSL properties, indicating command-and-control establishment. While individual indicators were low-confidence, the convergence of these signals across multiple environments suggested a structured attack. Automated containment measures were effective in halting outbound communications in high-confidence cases. This threat primarily affects macOS systems and emphasizes the need for behavioral detection strategies. The current status indicates ongoing monitoring and response efforts by security teams.

Key Points: • Intrusions exploit user-assisted execution of malicious updates on macOS systems. • AppleScript is used for post-compromise activities, minimizing detection risks. • Automated responses successfully disrupted outbound communications in high-confidence cases.