# Fake Maccy Stealer macOS Infostealer · Rust ARM64 · First seen June 26, 2026 ## Overview Fake Maccy Stealer is a macOS credential stealing campaign that impersonates the legitimate Maccy clipboard manager to deliver a Rust-based infostealer through a deceptive Script Editor execution flow. Instead of exploiting a vulnerability, the campaign relies on user trust, Login Item persistence, and post execution stealth to collect credentials, browser data, and clipboard content while maintaining an active encrypted command channel. The campaign was identified and analyzed by the ManageEngine EDR Threat Intelligence team during investigation of a macOS credential theft operation abusing trusted application workflows and deceptive execution paths. The attacker registered `maccyapp[.]com` as a lookalike for the legitimate Maccy project, which is distributed at `maccy.app` and via GitHub releases by developer Alexey Rodionov. The fake domain serves a `maccy.dmg` disk image—a format that has never appeared in the legitimate Maccy release history, which distributes exclusively as `Maccy.app.zip`. The victim is directed there through SEO-positioned search results appearing alongside the genuine project listing. What distinguishes this campaign from most recent macOS infostealer activity is the execution surface. Rather than the Terminal copy-paste flow used by ClickFix campaigns targeting macOS, Fake Maccy Stealer delivers a JavaScript for Automation (JXA) script that opens in macOS Script Editor when the DMG is mounted. The user is prompted to click **Run**. Script Editor is a first-party Apple application inheriting full system trust, and Apple’s macOS Tahoe 26.4 Terminal paste protections do not apply to it. The malicious payload is hidden below the visible window through whitespace padding, behind decorative code that references the legitimate App Store URL as a false trust signal. Once executed, the dropper places a Rust-compiled, ARM64-native Mach-O binary inside a fake application bundle named `Finder.app`, using the genuine Apple Finder icon copied from `/System/Library/CoreServices/` and the bundle identifier `com.apple.finder.monitor`. The binary runs as a second Finder process in Activity Monitor, visually indistinguishable from the real one. Persistence is established via Login Items using the `LSSharedFileList` and `SMAppService` APIs, deliberately avoiding LaunchAgents and LaunchDaemons, where detection coverage is densest. The malware harvests macOS Keychain credentials, browser-saved passwords and cookies, and clipboard contents, encrypting the collected data with ChaCha20-Poly1305 (RFC 8439) before exfiltrating to `https://avengerflow[.]com/api/sync`. The C2 channel is bidirectional: the server returns encrypted responses, making the implant a credential-stealing backdoor rather than a one-shot infostealer. At first submission to VirusTotal, the sample was detected by one of 70 engines. The campaign fits within a documented pattern of Russian-speaking MaaS operators targeting macOS professionals with developer-tool lures. The JXA dropper implements four independent CIS geo-fence checks against timezone, country code, keyboard input language, and CPU architecture, aborting silently on machines associated with Russia or eleven other CIS-aligned countries. ### Threat profile **Updated:** June 30, 2026 | Field | Value | |---|---| | Type | Infostealer / Backdoor (macOS) | | First seen | Jun 26, 2026 | | Downstream risk | Full credential compromise · active C2 | | Platform | macOS – ARM64 (Apple Silicon native) | | Language | Rust (confirmed via stdlib strings, TLS symbols, ChaCha20 sigma constant) | | Lure | Fake Maccy clipboard manager (`maccyapp[.]com`) | | Delivery | Lookalike DMG → JXA dropper via Script Editor | | Persistence | Login Items (LSSharedFileList + SMAppService) | | Masquerade | `com.apple.finder.monitor` / `Finder.app` | | Encryption | ChaCha20-Poly1305 (IETF RFC 8439) | | C2 | `avengerflow[.]com/api/sync` (Cloudflare-fronted) | | Code signing | Ad-hoc – no Apple Developer ID – TeamIdentifier=not set | | VirusTotal | 1 / 70 at first submission | | Operator attribution | CIS geo-fence consistent with Russian-speaking MaaS operators | ## Operational attack chain · Fake Maccy DMG to credential exfiltration 1. **Lookalike domain** `maccyapp[.]com` via SEO-positioned search result 2. **Stage 1 – Fake Maccy DMG downloaded** `maccy.dmg` format not used by legitimate project 3. **Stage 2 – JXA script opens in Script Editor** User clicks Run (“⌘ + R”) — no Terminal, no copy-paste 4. **Stage 3 – CIS geo-fence → RC4-decrypted C2 URL** Four anti-targeting checks; key derived from system fingerprint 5. **Stage 4 – Rust binary downloaded & installed** Finder icon cloned · Ad-hoc codesigned 6. **Stage 5 – Login Item persistence registered** LSSharedFileList + SMAppService — appears as “Finder” in System Settings 7. **Stage 6 – Credential theft and clipboard capture** Keychain · browser SQLite · NSPasteboard · PAM interception **Impact – ChaCha20-Poly1305 exfiltration → active C2** HTTPS POST to `avengerflow[.]com` · bidirectional — treats host as active implant The Script Editor lure separates this campaign from Terminal-based ClickFix flows. The execution path is the same approval gesture—clicking **Run** in a trusted Apple application—but it entirely bypasses the Terminal paste protections added in macOS Tahoe 26.4. Source: Sample analysis — first seen June 26, 2026 ## Tactics, techniques, and procedures Fake Maccy Stealer stacks seven distinct evasion layers across the initial access, execution, persistence, defense evasion, credential access, and exfiltration phases. The highest technique density is in defense evasion, where the malware combines masquerading, obfuscation, sandbox evasion geo-fencing, hidden window flags, and trust control abuse into a single delivery chain. ### MITRE ATT&CK coverage | Tactic | Techniques | What Fake Maccy Stealer does | |---|---|---| | Initial Access | [Drive-by Compromise T1189](https://attack.mitre.org/techniques/T1189/) | SEO-positioned lookalike domain (`maccyapp[.]com`) serves a malicious DMG to users searching for the legitimate Maccy clipboard manager. | | Execution | [User Execution: Malicious File T1204.002](https://attack.mitre.org/techniques/T1204/002/) · [Command and Scripting: JavaScript T1059.007](https://attack.mitre.org/techniques/T1059/007/) | Victim clicks Run inside macOS Script Editor to execute the obfuscated JXA dropper. No exploit, no CVE. The user approves execution through a trusted first-party Apple application. | | Persistence | [Login Items T1547.015](https://attack.mitre.org/techniques/T1547/015/) | The dropper registers the fake Finder.app as a Login Item using both `LSSharedFileList` and `SMAppService`, ensuring the malware survives reboot. The entry appears as “Finder” with the genuine Apple Finder icon. | | Defense Evasion | [Masquerade: Match Legitimate Name T1036.005](https://attack.mitre.org/techniques/T1036/005/) · [Hide Artifacts: Hidden Files T1564.001](https://attack.mitre.org/techniques/T1564/001/) · [Hide Artifacts: Hidden Window T1564.003](https://attack.mitre.org/techniques/T1564/003/) · [Obfuscated Files: Command Obfuscation T1027.010](https://attack.mitre.org/techniques/T1027/010/) · [Obfuscated Files or Information T1027](https://attack.mitre.org/techniques/T1027/) · [Subvert Trust Controls T1553](https://attack.mitre.org/techniques/T1553/) | Uses bundle identifier `com.apple.finder.monitor`, clones Finder icon, sets `LSUIElement=true` and `LSBackgroundOnly=true`, uses dotfiles, layered JXA obfuscation, ChaCha20-Poly1305 encryption, and abuses Script Editor trust surface. | | Credential Access | [Keychain T1555.001](https://attack.mitre.org/techniques/T1555/001/) · [Credentials from Browsers T1555.003](https://attack.mitre.org/techniques/T1555/003/) | Extracts Keychain entries via `SecItemCopyMatching` and reads browser credential databases directly via `libsqlite3.dylib`. | | Discovery | [System Information Discovery T1082](https://attack.mitre.org/techniques/T1082/) | Collects timezone, country code, keyboard input language, CPU architecture, OS version, and hardware ID for targeting and telemetry. | | Collection | [Clipboard Data T1115](https://attack.mitre.org/techniques/T1115/) · [Data from Local System T1005](https://attack.mitre.org/techniques/T1005/) | Captures clipboard via `NSPasteboard.generalPasteboard` and reads local credential stores. | | Command and Control | [Web Protocols T1071.001](https://attack.mitre.org/techniques/T1071/001/) · [Encrypted Channel: Symmetric T1573.001](https://attack.mitre.org/techniques/T1573/001/) | HTTPS POST to `avengerflow[.]com/api/sync` via `NSURLSession`, encrypted with ChaCha20-Poly1305. | | Exfiltration | [Exfiltration Over C2 Channel T1041](https://attack.mitre.org/techniques/T1041/) | Encrypted credential data sent over established HTTPS C2 channel using campaign tag `MacOSapp1`. | | Recon / Priv. Esc / Lateral / Impact | — | Not observed in this campaign. Operates within user session context without privilege escalation or lateral movement. | ## Indicators of compromise Indicators are divided into durable behavioral and structural IOCs and volatile network IOCs. ### File system paths (durable) - `~/Library/Application Support/com.apple.finder.monitor/` - `~/Library/Application Support/com.apple.finder.monitor/Finder.app/Contents/MacOS/` - `~/Library/Application Support/com.apple.finder.monitor/.config` - `~/Library/Application Support/com.apple.finder.monitor/.Maccy` - `~/Library/Caches/com.apple.finder.monitor/` - `~/Library/HTTPStorages/com.apple.finder.monitor/` - Bundle identifier: `com.apple.finder.monitor` ### Process and identity patterns (durable) - `Finder.app` running from path other than `/System/Library/CoreServices/` - `Signature=adhoc · TeamIdentifier=not set` on `Finder.app` - Login Item named “Finder” with path outside `/System/Library/CoreServices/` - C2 beacon prefix: `MacOSapp1{"data":"...` ### Network behavior (volatile) - `avengerflow[.]com` - `https://avengerflow[.]com/api/sync` - `172.67.210.219` (Cloudflare front IP) - `104.21.93.138` (Cloudflare front IP) - `51.92.110.33` (AWS EC2 eu-south-2, suspected origin) ### File hashes (volatile) - `45bd0e321aa85b63b5dee4e87465e4088546eea5da6efb9c96847023384c48c9` (SHA-256 — maccy.dmg sample) - `0b7529782694bee95f784a854ef3abb8f4056f61408fbc0f72cfafa5e416bc73` (SHA-256 — EDR capture variant) ## Detection guidance Signature-based detection largely fails against this campaign. The behavioral chain is distinct and high-confidence when correlated. 1. **Second Finder process from non-system path** Alert on any process named `Finder` whose executable path does not begin with `/System/Library/CoreServices/Finder.app`. 2. **Login Item audit: Finder from non-system path** Enumerate Login Items and alert on any entry named “Finder” or bundle ID `com.apple.finder.monitor` resolving outside the CoreServices path. Audit with `sfltool dumpbtm`. 3. **Ad-hoc codesigning on Finder.app bundle** Monitor for `Finder.app` bundles with `Signature=adhoc` and `TeamIdentifier=not set`. 4. **Script Editor executing network-fetching JXA** Alert on `Script Editor.app` spawning child processes that access network resources, write to `~/Library/Application Support/`, invoke `codesign`, or register Login Items. 5. **Non-browser process reading browser credential databases** Alert when processes other than Chrome, Firefox, or Safari read `Login Data`, `logins.json`, `key4.db`, or `login.keychain-db`. 6. **Keychain access from non-system process** Monitor `SecItemCopyMatching` calls for `kSecClassGenericPassword` originating outside `/Applications/` or `/System/`. 7. **Outbound HTTPS POST from bundle ID com.apple.finder.monitor** Alert on outbound connections to `avengerflow[.]com` or HTTPS POST requests from bundle ID `com.apple.finder.monitor`. ## Hardening recommendations Controls are tagged by implementation effort. ### 1. Verify Maccy downloads against official sources only (Quick win) The legitimate Maccy application is distributed exclusively from: - `maccy.app` - https://github.com/p0deje/Maccy/releases - Mac App Store (publisher Alexey Rodionov, Team Identifier `MN3X4648SC`) - Homebrew: `brew install --cask maccy` Every legitimate build ships as `Maccy.app.zip`, never as a `.dmg`. **Verification:** ```bash codesign -dvvv Maccy.app ``` Confirm: - `Authority=Developer ID Application: Alexey Rodionov (MN3X4648SC)` - `Notarization Ticket=stapled` - `Format=app bundle with Mach-O universal (x86_64 arm64)` Ad-hoc signing or a missing Team Identifier indicates a non-legitimate build. ### 2. Block delivery and C2 domains (Quick win) Block: - `maccyapp[.]com` (delivery) - `avengerflow[.]com` (C2) Use DNS-level blocking. The C2 is Cloudflare-fronted, so IP-based blocking alone is insufficient. ### 3. Audit Login Items fleet-wide (Quick win) Run: ```bash sfltool dumpbtm ``` Flag any Login Item with bundle ID containing `com.apple.finder` whose path is not `/System/Library/CoreServices/Finder.app`. Relevant paths: - `/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm` - `~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` ### 4. Treat Script Editor as a monitored execution surface (Standard) Add `Script Editor.app` to endpoint monitoring policies. Alert on network activity, Library writes, or Login Item registration originating from Script Editor. Consider MDM-based restrictions for roles that do not require Script Editor. ### 5. Reduce persistent Keychain and browser credential exposure (Standard) Shift to enterprise password manager solutions with process-level access controls. On confirmed infection: - Isolate host immediately. - Rotate all Keychain entries. - Rotate browser-saved passwords. - Invalidate active sessions. - Treat clipboard contents during infection window as compromised. The C2 channel is bidirectional. Confirmed infection should be treated as an active implant, not a credential leak. ## Primary references - [MITRE ATT&CK — T1547.015: Boot or Logon Autostart Execution: Login Items](https://attack.mitre.org/techniques/T1547/015/) - [MITRE ATT&CK — T1059.007: Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/) - [Microsoft Threat Intelligence — ClickFix campaign uses fake macOS utilities lures to deliver infostealers](https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/) - [Microsoft Defender Experts — Hunting Infostealers: macOS Threats](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/hunting-infostealers---macos-threats/4494435) - [Maccy — Official GitHub repository (p0deje/Maccy)](https://github.com/p0deje/Maccy) - [Patrick Wardle — The Art of Mac Malware: Persistence](https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf) - [MITRE ATT&CK — Enterprise framework reference](https://attack.mitre.org/)