Maccy.app.zipWhen double-clicked, macOS opens .scpt files in Script Editor by design. The visible portion of the file shows branded instructions telling the user to press ⌘+R to "get started," while the actual malicious code is hidden far below after a large block of empty lines . The text also uses Greek and Cyrillic homoglyphs in the word "Maccy" to defeat text-based scanners
.
pam_start, pam_authenticate, pam_end) with no visible shell activity ethereum-rpc.publicnode[.]com in practice All stolen data is encrypted with ChaCha20-Poly1305 and exfiltrated over HTTPS to C2 endpoints (observed domains: avenger-sync[.]live and avengerflow[.]com), wrapped in a MacOSapp1{"data":"..."} JSON envelope .
Before launching the payload, the dropper ad-hoc signs the fake application bundle with codesign -fs - --deep. The malware also checks for debugging tools and System Integrity Protection before proceeding
.
The second-stage payload is placed inside a bundle named Finder.app with the bundle identifier com.apple.finder.monitor and the genuine Finder.icns icon copied from /System/Library/CoreServices/ . It then spawns
pbpaste to steal clipboard data, so Activity Monitor may show a second Finder process performing clipboard reads — a strong anomaly .
Persistence is established via Login Items (not LaunchAgents/LaunchDaemons) using both the modern SMAppService API and the legacy LSSharedFileList API, with the malware bundled inside: com.apple.finder.monitor and com.apple.security.daemon (masquerading as Software Update) . Because the Login Items pane in System Settings does not show full paths, the malware appears as legitimate system entries
.
curl/osascript-based downloaders maccy.app, or via Homebrew / the official GitHub repository. The real project is open-source (MIT license) and run by developer Alexey Rodionov (Team Identifier MN3X4648SC) .scpt files in Script Editor from a downloaded disk image and press Run. No legitimate macOS app asks you to do this com.apple.finder.monitor) that you did not intentionally add