Mach-O Man

Victims are redirected to convincing phishing sites that imitate Zoom, Microsoft Teams, or Google Meet and claim there is a connection issue that must be fixed manually.

Attacks commenced with the delivery of urgent meeting invites purportedly from business contacts or colleagues that include links diverting to fake Microsoft Teams, Zoom, or Google Meet websites

the page instructs the user to copy and paste a Terminal command... it immediately downloads and launches the first Mach-O payload.

display a connection issue, which requires command execution in Terminal to be resolved

It then creates a LaunchAgent, roughly the macOS equivalent of Windows Services, to maintain persistence by executing OneDrive, which in turn instantiates the previous components on startup.

Subsequent components, such as minst2.bin, establish persistence by dropping a disguised binary ... and registering it as a LaunchAgent to run at every login.

registering it as a LaunchAgent to run at every login.

It then creates a LaunchAgent, roughly the macOS equivalent of Windows Services, to maintain persistence by executing OneDrive, which in turn instantiates the previous components on startup.

Subsequent components, such as minst2.bin, establish persistence by dropping a disguised binary ... and registering it as a LaunchAgent to run at every login.

registering it as a LaunchAgent to run at every login.

dropping a disguised binary (for example, masquerading as OneDrive) under an “Antivirus Service” folder

A self-deletion script ( delete_self.sh ) then wipes all components using the native rm command.

The malware uses the macOS codesign utility to apply ad-hoc signatures, helping the apps appear legitimate enough to run under standard execution policies.

Stage 1 – The Stager ( teamsSDK.bin ) ... prompts the victim for their password three times, with the window shaking on first two attempts to simulate authentication failure before silently accepting credentials.

It targets browser-stored credentials and cookies, macOS Keychain entries, and other files that can grant access to SaaS platforms

It targets browser-stored credentials and cookies, macOS Keychain entries

a secondary module facilitates system profiling to obtain ... network configuration data

collecting host identifiers, OS details, network configuration, processes, and browser extension data

a second module (variants such as D1YrHRTg.bin) profiles the system via sysctl and local tools, collecting host identifiers, OS details, network configuration, processes, and browser extension data

Stage 4 – The Stealer ( macrasv2 ): Harvests browser credentials, session cookies, SQLite-stored data, and macOS Keychain entries

Stage 2 – The Profiler ... collects ... a full inventory of installed browser extensions across Chrome, Firefox, Safari, Brave, Opera, and Vivaldi.

A payload called macrasv2 is downloaded next, acting as stealer targeting browser extension data, stored browser credentials and cookies, macOS Keychain entries, and other files of interest

Stage 1 – The Stager ( teamsSDK.bin ) ... prompts the victim for their password three times, with the window shaking on first two attempts to simulate authentication failure before silently accepting credentials.

then compresses them into an archive such as user_ext.zip.

Registers the host with the C2 server ... exfiltrates it via the Telegram Bot API — a trusted channel that blends into normal traffic.

Running the command launches the initial staging binary that retrieves bogus macOS apps

Researchers note that parts of the kit are poorly written, with some profilers entering infinite loops that continuously POST the same data to command-and-control servers... The final stealer stage... aggregates high-value data from the system before exfiltration.

Stage 4 – The Stealer ( macrasv2 ) ... exfiltrates it via the Telegram Bot API — a trusted channel that blends into normal traffic.

The attack begins not with a software exploit, but with a deceptively simple social engineering technique known as ClickFix. Victims ... receive an urgent Telegram message from a compromised or impersonated contact, containing what appears to be a legitimate invitation to a Zoom, Microsoft Teams, or Google Meet session.