AppleScript .scpt files are being repurposed as social-engineered macOS malware droppers, masquerading as fake documents, installers, or update prompts to trick users into executing scripts via Script Editor or Terminal. Samples tie into commodity stealers like MacSync and Odyssey and use techniques such as custom icons in ZIP/DMG containers and obfuscated AppleScript to evade detection. #MacSync #Odyssey
Keypoints
- Threat actors increasingly use .scpt AppleScript files disguised as .docx/.pptx or installer/update lures to deliver macOS malware.
- Attack flow relies on user interaction with Script Editor (Run) or Terminal (copy-paste or drag-and-drop), often after visiting fake websites or DMG installers.
- Commodity stealers such as MacSync and Odyssey have adopted the .scpt technique, indicating trickle-down from APT tooling to broader malware ecosystems.
- Adversaries leverage custom file icons stored in resource forks inside ZIPs or DMGs to make .scpt files appear as legitimate documents on macOS.
- AppleScript obfuscation and compiled .scpt variants are used to hide malicious behavior; notable strings include do shell script, run script, sysoexec, and sysodsct.
- Several .scpt samples show zero detections on VirusTotal, highlighting detection gaps and the need for targeted hunting and mitigations.
- Recommended mitigations include changing the default app for .scpt extensions, monitoring Script Editor executions, and detecting filenames like .docx.scpt/.pptx.scpt in file events.
MITRE Techniques
- [T1059.007 ] Command and Scripting Interpreter: AppleScript – Used to execute shell commands and scripts on macOS via AppleScript files; quoted behavior: ‘do shell script’ and compiled event codes ‘sysoexec’/’sysodsct’ indicate AppleScript invoking system commands.
- [T1204.002 ] User Execution: Malicious File – Social engineering lures users to open .scpt files disguised as documents or installers and click Run in Script Editor (‘Comments in the script encourage the user to run it, while hiding the real code behind a large number of blank lines’).
- [T1566.001 ] Phishing: Spearphishing Link / Web Delivery – Fake update and installer websites host lures and DMGs that drop .scpt scripts (‘fake Homebrew installation pages’, ‘fake websites to trick users into installing updates’).
- [T1036.005 ] Masquerading: Match Legitimate Name or Location – Attackers append common extensions and custom icons to .scpt files to appear as legitimate .docx/.pptx files (‘compiled AppleScript, falsely given a .docx “extension”‘, use of custom icons in resource forks).
- [T1406 ] Obfuscated Files or Information: Code Obfuscation – AppleScript obfuscation and fragmented string assembly are used to hide URLs and commands (‘set part1 to “a”… Reconstructing http://…’ and osAscRIPT -e examples assembling strings).
- [T1204.001 ] User Execution: Malicious Link – Drag-and-drop to Terminal DMGs and copy-paste commands into Terminal rely on user actions to execute payloads (‘”Copy and paste a command to the Terminal”‘, ‘”Drag and drop to the Terminal”‘).
Indicators of Compromise
- [File Hash ] Fake doc ZIPs – f5b4fec2263950ca5cfac9f9d060bb96f6323fcb908b09eedb7996c107bdcf5a, 99cfb160a2453a22cc025fe0afc21d660744205eff2885836d8e543fda50f06d
- [File Hash ] Fake doc .scpt samples – 6149bacfb02eb3db6f95947bc57d89bfb92b90f16f92a61266ea6fbec81d10b7, 2e2cedbf1f09208ee7dad6ac5dec96e97bc0c41a31e190bc41e14f2929c05d4c
- [Domain ] MacSync-associated domains – foldgalaxy[.]com, forestnumb[.]top (also multiple other domains like elbrone[.]com)
- [File Hash / Domain ] Odyssey artifacts – 7f69f3012e134d1f5084fbb9086697da66a9b0e9240c4e1413777b9e1099aca9, aubr[.]io and IP 185.93.89[.]62
- [File Hash ] Bad DMG / 888.scpt – 6a95ab1e7a94fb55a1789f5dfb0fb98237ac72d14ae89ac557101a6176826610 and related hashes (03458265…, 9f3a2876…, etc.)
- [Domain / IP ] Additional bad infrastructure – dosmac[.]top, 192.140.161[.]143, 124.132.136[.]17 (and other listed IPs/domains)
Read more: https://pberba.github.io/security/2025/11/11/macos-infection-vector-applescript-bypass-gatekeeper/