Fake Maccy Stealer

macOS Infostealer · Rust ARM64 · First seen June 26, 2026

Overview

Fake Maccy Stealer is a macOS credential stealing campaign that impersonates the legitimate Maccy clipboard manager to deliver a Rust-based infostealer through a deceptive Script Editor execution flow. Instead of exploiting a vulnerability, the campaign relies on user trust, Login Item persistence, and post execution stealth to collect credentials, browser data, and clipboard content while maintaining an active encrypted command channel. The campaign was identified and analyzed by the ManageEngine EDR Threat Intelligence team during investigation of a macOS credential theft operation abusing trusted application workflows and deceptive execution paths.

The attacker registered maccyapp[.]com as a lookalike for the legitimate Maccy project, which is distributed at maccy.app and via GitHub releases by developer Alexey Rodionov. The fake domain serves a maccy.dmg disk image - a format that has never appeared in the legitimate Maccy release history, which distributes exclusively as Maccy.app.zip. The victim is directed there through SEO positioned search results appearing alongside the genuine project listing. What distinguishes this campaign from most recent macOS infostealer activity is the execution surface. Rather than the Terminal copy-paste flow used by ClickFix campaigns targeting macOS, Fake Maccy Stealer delivers a JavaScript for Automation (JXA) script that opens in macOS Script Editor when the DMG is mounted. The user is prompted to click Run. Script Editor is a first-party Apple application inheriting full system trust, and Apple's macOS Tahoe 26.4 Terminal paste protections do not apply to it. The malicious payload is hidden below the visible window through whitespace padding, behind decorative code that references the legitimate App Store URL as a false trust signal.

Once executed, the dropper places a Rust-compiled, ARM64-native Mach-O binary inside a fake application bundle named Finder.app, using the genuine Apple Finder icon copied from /System/Library/CoreServices/ and the bundle identifier com.apple.finder.monitor. The binary runs as a second Finder process in Activity Monitor, visually indistinguishable from the real one. Persistence is established via Login Items using the LSSharedFileList and SMAppService APIs, deliberately avoiding LaunchAgents and LaunchDaemons, where detection coverage is densest.

The malware harvests macOS Keychain credentials, browser-saved passwords and cookies, and clipboard contents, encrypting the collected data with ChaCha20-Poly1305 (RFC 8439) before exfiltrating to https://avengerflow[.]com/api/sync. The C2 channel is bidirectional: the server returns encrypted responses, making the implant a credential-stealing backdoor rather than a one shot infostealer. At first submission to VirusTotal, the sample was detected by one of 70 engines. The campaign fits within a documented pattern of Russian speaking MaaS operators targeting macOS professionals with developer-tool lures. The JXA dropper implements four independent CIS geo-fence checks against timezone, country code, keyboard input language, and CPU architecture, aborting silently on machines associated with Russia or eleven other CIS aligned countries.

Operational attack chain · Fake Maccy DMG to credential exfiltration
  1. Start

    Lookalike domain

    maccyapp[.]com via SEO-positioned search result

  2. Stage 1

    Fake Maccy DMG downloaded

    maccy.dmg format not used by legitimate project

  3. Stage 2 - user

    JXA script opens in Script Editor

    User clicks Run (“⌘ + R”) — no Terminal, no copy-paste

  4. Stage 3

    CIS geo-fence → RC4-decrypted C2 URL

    Four anti-targeting checks; key derived from system fingerprint

  5. Stage 4

    Rust binary downloaded & installed

    Finder icon clonedAd-hoc codesigned
  6. Stage 5

    Login Item persistence registered

    LSSharedFileList + SMAppService - appears as “Finder” in System Settings

  7. Stage 6

    Credential theft and clipboard capture

    Keychain · browser SQLite · NSPasteboard · PAM interception

  8. Impact

    ChaCha20-Poly1305 exfiltration → active C2

    HTTPS POST to avengerflow[.]com · bidirectional - treats host as active implant

The Script Editor lure is what separates this campaign from Terminal-based ClickFix flows. The execution path is the same approval gesture : clicking Run in a trusted Apple application, but it entirely bypasses the Terminal paste protections added in macOS Tahoe 26.4.

Source: Sample analysis - first seen June 26, 2026

Tactics, techniques, and procedures

Fake Maccy Stealer stacks seven distinct evasion layers across the initial access, execution, persistence, defense evasion, credential access, and exfiltration phases. The highest technique density is in defense evasion, where the malware combines masquerading, obfuscation, sandbox evasion geo-fencing, hidden window flags, and trust control abuse into a single delivery chain.

Technique detailKey techniques · Fake Maccy Stealer
TacticTechniquesWhat Fake Maccy Stealer does
Initial AccessSEO positioned lookalike domain (maccyapp[.]com) serves a malicious DMG to users searching for the legitimate Maccy clipboard manager.
ExecutionVictim clicks Run inside macOS Script Editor to execute the obfuscated JXA dropper. No exploit, no CVE. The user approves the execution through a trusted first party Apple application.
PersistenceThe JXA dropper registers the fake Finder.app as a Login Item using both the legacy LSSharedFileList API and the modern SMAppService (ServiceManagement.framework), ensuring the malware survives reboot. The entry appears as "Finder" with the genuine Apple Finder icon in System Settings → General → Login Items.
Defense EvasionThe bundle identifier com.apple.finder.monitor imitates Apple's own reverse-DNS convention. The binary is named F8C06C86 (8-char hex, believed per-host to defeat hash IOC sharing). The genuine Finder icon is copied from /System/Library/CoreServices/. LSUIElement=true and LSBackgroundOnly=true suppress any Dock icon or UI. Configuration and marker files use dotfile naming (.config, .lock, .Maccy). The JXA script uses string reversal, XOR charcode arithmetic, and URI-encoded Function() constructors to conceal its logic. The Rust binary uses ChaCha20-Poly1305 for all exfiltrated data. The Script Editor trust surface is abused to bypass Gatekeeper's quarantine evaluation.
Credential AccessKeychain entries are extracted via SecItemCopyMatching targeting kSecClassGenericPassword. Browser credential databases (Chrome Login Data, Firefox logins.json, Safari Keychain items) are accessed directly via libsqlite3.dylib. The malware also links libpam.2.dylib, the Pluggable Authentication Module library, which can intercept sudo passwords and system authentication dialog responses.
DiscoveryThe JXA dropper collects timezone, country code, keyboard input language, and CPU architecture before executing. The Rust binary collects operatingSystemVersion and hardware ID via IOKit.framework for host fingerprinting and campaign telemetry tagging.
CollectionClipboard contents are captured via NSPasteboard.generalPasteboard. Browser credential databases, Keychain entries, and system authentication artifacts are read from local storage. The malware targets a device the user intentionally configured to manage sensitive clipboard data, making the lure choice deliberately aligned with the collection objective.
Command and ControlHTTPS POST to avengerflow[.]com/api/sync via NSURLSession. The channel is bidirectional. All traffic is encrypted with ChaCha20-Poly1305 (RFC 8439). The C2 domain is fronted via Cloudflare (172.67.210.219, 104.21.93.138) with a suspected backend origin on AWS EC2 in Spain (51.92.110.33). Beacons are prefixed with the hardcoded campaign tag MacOSapp1.
ExfiltrationAll collected data is encrypted with ChaCha20-Poly1305 and sent over the existing C2 HTTPS channel. The confirmed C2 beacon format is MacOSapp1{"data":"<encrypted blob>"}. A confirmed beacon timestamp of 2026-06-26 07:38:02 UTC was recovered from the malware's own SQLite cache database.
Recon / Priv. Esc / Lateral / ImpactNot observed in this campaign. The malware operates entirely within the user session context and does not attempt privilege escalation or lateral movement.
Stage 1T1189 · T1204.002

The lookalike lure

Maccy is a widely used open source clipboard manager distributed from maccy.app and GitHub, built and signed by developer Alexey Rodionov (Team Identifier MN3X4648SC). The attacker registered maccyapp[.]com as a near identical domain and optimized it to appear in search results alongside the legitimate project listing. The malicious domain claims to distribute Maccy version 2.7.3, a version number with no corresponding GitHub tag in the legitimate repository.

The payload is served as maccy.dmg. The official Maccy project has never distributed a DMG; all legitimate releases are published as Maccy.app.zip on GitHub. That format mismatch is the first detectable signal. The SHA-256 of the malicious disk image (45bd0e321aa85b63b5dee4e87465e4088546eea5da6efb9c96847023384c48c9) does not match any legitimate Maccy release hash. Legitimate Maccy binaries are signed with an Apple Developer ID, notarized and stapled, and pass Gatekeeper without warnings. The malicious payload is ad-hoc signed with no Team Identifier and is explicitly rejected by spctl --assess.

The lure selection is deliberate. Clipboard managers are disproportionately used by developers, IT administrators, and security professionals who regularly copy and paste sensitive material: API tokens, SSH keys, recovery phrases, temporary passwords, and 2FA codes. A clipboard running on such a host is a structured cache of recently used secrets. The campaign is designed to compromise the tool its targets rely on to handle that data.

Stage 2T1059.007 · T1027.010 · T1553

The Script Editor JXA dropper

When the victim mounts the DMG, a compiled JXA .scpt file opens automatically in macOS Script Editor. The visible portion of the script contains a short, plausible looking configuration block referencing the official Apple App Store URL for Maccy, alongside instructions to press ⌘ + R or click the Run button. The App Store URL is a deliberate trust signal and has no functional role. The real payload is a heavily obfuscated JXA routine hidden below the visible editor window through whitespace padding.

Why Script Editor bypasses macOS protections: Script Editor is a first party Apple application with full system trust. Apple's macOS Tahoe 26.4 Terminal paste protections target the specific attack surface where victims are instructed to paste commands into Terminal. Those controls have no effect on code executed by clicking Run inside Script Editor. macOS does display an "unidentified developer" warning when the script runs, but this is the same prompt users have been conditioned to dismiss for years, and the lure is built around getting them to do exactly that.

The obfuscation in the JXA script uses three layered techniques. String reversal: constants are stored backwards and assembled at runtime. XOR charcode arithmetic: individual characters are derived from arithmetic operations on integer literals. URI-encoded Function() constructors: the instruction Function('return decodeURIComponent(\'%69%6d%70%6f%72%74\')')() evaluates to 'import' at runtime. The result is a dropper that does not contain any readable C2 URL or file path in its source text.

The JXA script imports three macOS frameworks through the Objective-C bridge: Cocoa (UI, NSWorkspace, NSFileManager), IOKit (hardware enumeration), and CoreFoundation (timezone and locale queries). These imports are the basis for the four geo-fence checks that run before any payload is downloaded.

Stage 3T1082 · T1027

CIS geo-fencing and machine-bound C2 URL decryption

Before downloading or installing anything, the JXA dropper runs four independent checks to abort execution on machines associated with Russia or ten other CIS aligned countries. This pattern is consistent with Russian speaking MaaS operators protecting themselves from creating victims who could file a domestic complaint, a practice documented across multiple macOS infostealer families operating in the same ecosystem.

  • Timezone check:NSTimeZone.localTimeZone.name against 12 CIS identifiers including Europe/Moscow, Asia/Almaty, Europe/Minsk, and related zones.
  • Country code check:CFLocaleCopyPreferredLanguages against the regex RU|BY|KZ|AM|AZ|KG|MD|TJ|UZ|TM|GE.
  • Keyboard input source check:TISCreateInputSourceList enumeration against a list of CIS keyboard language identifiers.
  • Architecture check:sysctlbyname("hw.optional.arm64") to report ARM64 vs x86_64 to the C2, allowing the server to serve the correct binary. This is the check that confirms Apple Silicon targeting as the primary objective.

The C2 URL is stored in the JXA script as an RC4-encrypted blob (distinct from the ChaCha20-Poly1305 used in the Rust binary). The RC4 decryption key is derived from the outputs of the four geo-fence checks concatenated into a 32-byte system fingerprint. This design means the C2 URL decrypts to a different value on every machine, and a researcher extracting the encrypted blob from the script source cannot recover the URL without running the checks on a qualifying host. Static IOC extraction of the C2 URL from the dropper script alone is not possible.

Stage 4T1036.005 · T1564.001 · T1564.003 · T1553

Finder masquerade and Login Item persistence

Once the geo-fence checks pass, the JXA dropper downloads the Rust binary from the decrypted C2 URL via NSURLSession and builds the following structure on disk:

Fake Finder.app bundle layout
~/Library/Application Support/com.apple.finder.monitor/
<!-- mimic Apple reverse-DNS naming convention -->
└── Finder.app/
    ├── Contents/
    │   ├── Info.plist          (LSUIElement=true · LSBackgroundOnly=true)
    │   ├── MacOS/
    │   │   └── F8C06C86        (944,464 bytes — Rust ARM64 infostealer)
    │   └── Resources/
    │       └── AppIcon.icns    (copied from /System/Library/CoreServices/Finder.app)
    ├── .config                 (34 bytes — C2 URL plaintext: https://avengerflow.com/api/sync)
    ├── .lock                   (0 bytes — single-instance mutex)
    └── .Maccy                  (0 bytes — clipboard monitoring marker)

Three aspects of this layout are purpose engineered for detection avoidance. The directory name com.apple.finder.monitor imitates the reverse-DNS convention Apple uses for its own background services. The bundle is named Finder.app and uses a copy of the genuine Apple Finder icon lifted from the system path, producing a second process in Activity Monitor that is visually identical to the real Finder. The executable inside is named with eight hex characters derived from the host, which is believed to rotate per installation, defeating binary hash IOC sharing at the filename level.

The Info.plist sets LSUIElement=true (no Dock icon) and LSBackgroundOnly=true (no UI surface), so the process runs entirely invisibly. After writing the bundle, the dropper self-signs the binary using codesign -fs - --deep (ad-hoc signing), producing a Gatekeeper rejection when assessed with spctl --assess, but the binary has already been authorized by the user's approval of the Script Editor script, which means Gatekeeper does not re-evaluate at this point.

Persistence is registered via two APIs simultaneously: the legacy LSSharedFileList (LSSharedFileListInsertItemURL on kLSSharedFileListSessionLoginItems) and the modern SMAppService from ServiceManagement.framework. The resulting Login Item appears in System Settings → General → Login Items as "Finder" with the genuine Apple Finder icon. The Background Task Manager (BTM) database records it as 2.com.apple.finder.monitor with disposition [enabled, allowed, visible, notified].

The choice to use Login Items rather than LaunchAgents or LaunchDaemons is operationally significant. Detection coverage for ~/Library/LaunchAgents/*.plist and /Library/LaunchDaemons/*.plist is well-established in macOS security tooling. Login Item persistence via LSSharedFileList and SMAppService receives substantially less detection attention, and the BTM database entry is not examined by default in most security tool inventories.

Stage 5T1555.001 · T1555.003 · T1115 · T1041 · T1573.001

Credential theft and exfiltration

The Rust binary runs silently, with all I/O redirected to /dev/null. It operates entirely within the user session context and does not attempt privilege escalation. What it can access within that context is extensive.

Keychain credentials: The binary calls SecItemCopyMatching with kSecClassGenericPassword, kSecAttrService, kSecReturnData, and kSecReturnAttributes. This API chain extracts generic password entries from the login keychain, covering Wi-Fi passwords, application passwords, and credentials stored by password managers and browsers that use the Keychain as a backend.

Browser credentials: Direct SQLite access via libsqlite3.dylib targets Chrome's Login Data and Cookies databases, Firefox's logins.json and key4.db, and Safari Keychain items. Session cookies are captured with their security flags intact, enabling session hijacking without needing to crack a second authentication factor.

Clipboard contents:NSPasteboard.generalPasteboard captures whatever the user has copied while the process is running. This is precisely the data a clipboard manager user expects to see: passwords, tokens, seed phrases, and recovery codes copied during normal work.

PAM interception: The binary links libpam.2.dylib, the Pluggable Authentication Module library. This can intercept system authentication events, potentially capturing passwords entered into sudo prompts or system security dialogs after installation.

Collected data is encrypted with ChaCha20-Poly1305 (IETF variant, RFC 8439). The presence of the string expand 32-byte k in the binary strings confirms the ChaCha20 sigma constant from the Rust chacha20poly1305 crate. Each encrypted blob follows the structure: [version: 1 byte = 0x02] [nonce: 12 bytes] [ciphertext: N bytes] [Poly1305 tag: 16 bytes]. The beacon body format is MacOSapp1{"data":"<encrypted blob>"}, which was confirmed from the malware's own SQLite cache database, which recorded a C2 contact at 2026-06-26 07:38:02 UTC to https://avengerflow.com/api/sync.

The C2 channel is bidirectional. A captured C2 response containing an encrypted blob confirms that the server sends commands back to the implant. A compromised host should be treated as an active implant, not as a one-shot credential leak. All credentials should be considered exposed and rotated, and all active sessions should be invalidated.

Process and system artifact view

What the kill chain looks like in endpoint telemetry

How Malware Protection Plus responds

A walkthrough demonstrating detection, investigation, and containment of a confirmed Fake Maccy Stealer infection.

Indicators of compromise

Indicators are divided into durable behavioral and structural IOCs, which survive variant rotation, and volatile network IOCs, which are tied to this specific campaign infrastructure and will change if the operator rebuilds.

File system paths (durable)

7 indicators

Structural artifacts consistent across campaign variants. These paths reflect deliberate choices to mimic Apple naming conventions and will not change between binary updates.

  • ~/Library/Application Support/com.apple.finder.monitor/Root malware directory — presence is high-confidence indicator
  • ~/Library/Application Support/com.apple.finder.monitor/Finder.app/Contents/MacOS/Rust binary location — binary name (e.g. F8C06C86) rotates per host
  • ~/Library/Application Support/com.apple.finder.monitor/.config34-byte plaintext C2 URL file
  • ~/Library/Application Support/com.apple.finder.monitor/.MaccyZero-byte clipboard monitoring marker
  • ~/Library/Caches/com.apple.finder.monitor/SQLite cache containing confirmed C2 contact timestamps
  • ~/Library/HTTPStorages/com.apple.finder.monitor/HTTP storage artifacts
  • Bundle identifier: com.apple.finder.monitorFake Apple bundle identifier — not used by any legitimate Apple software

Process and identity patterns (durable)

4 patterns

Behavioral and signing indicators that survive binary replacement.

  • Finder.app running from path other than /System/Library/CoreServices/High-confidence indicator of active infection
  • codesign: Signature=adhoc · TeamIdentifier=not set on Finder.appReal Finder is signed with Apple Root CA; ad-hoc signing is unambiguous
  • Login Item named "Finder" with path outside /System/Library/CoreServices/BTM entry: 2.com.apple.finder.monitor
  • C2 beacon prefix: MacOSapp1{"data":"...Campaign identifier hardcoded in Rust binary

Network behavior (volatile)

5 indicators

These indicators are tied to current campaign infrastructure. Block at DNS and proxy where possible, but treat as volatile: the operator can rotate domains without changing any other behavior.

  • avengerflow[.]comC2 domain — Cloudflare-fronted
  • https://avengerflow[.]com/api/syncConfirmed C2 endpoint (cache DB timestamp: 2026-06-26 07:38:02 UTC)
  • 172.67.210.219Cloudflare front IP
  • 104.21.93.138Cloudflare front IP
  • 51.92.110.33 (ec2-51-92-110-33.eu-south-2.compute.amazonaws.com)Suspected C2 origin — AWS EC2 eu-south-2 (Spain)

File hashes (volatile)

2 hashes

Binary hashes will change with each operator rebuild. Use behavioral indicators as primary detection. The binary name (e.g. F8C06C86) is believed to rotate per installation. Treat these hashes as confirmation aids, not primary detections.

  • 45bd0e321aa85b63b5dee4e87465e4088546eea5da6efb9c96847023384c48c9SHA-256 — maccy.dmg sample (1/70 VT at first submission)
  • 0b7529782694bee95f784a854ef3abb8f4056f61408fbc0f72cfafa5e416bc73SHA-256 — EDR capture variant

Detection guidance

Signature-based detection largely fails against this campaign. The Rust binary was detected by one of 70 engines at first submission, and the binary name rotates per installation. The behavioral chain is different: a second Finder process from a non-system path, a Login Item entry for "Finder" outside the CoreServices path, and HTTPS POST traffic to an ad-hoc-signed bundle's bundle ID are each individually anomalous. Together they are unambiguous.

  1. 01

    Second Finder process from non-system path

    Process telemetry

    Alert on any process named Finder or with display name Finder whose executable path does not begin with /System/Library/CoreServices/Finder.app. The real Finder always runs from that path. Any deviation is a high-confidence indicator of masquerade activity.

    Why it works: The malware cannot change what path its binary runs from. The fake bundle is installed in user Library space, and that path difference is permanent and testable with a single EDR rule. False positives are not expected: no legitimate software runs a process named Finder from outside the CoreServices path.

  2. 02

    Login Item audit: Finder from non-system path

    Persistence / BTM telemetry

    Enumerate Login Items and alert on any entry named "Finder" or with bundle identifier com.apple.finder.monitor whose application path does not resolve to /System/Library/CoreServices/Finder.app. Audit the BTM database entry (sfltool dumpbtm) and the backgrounditems.btm file in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/.

    Why it works: Login Item persistence is the specific mechanism this campaign uses to avoid LaunchAgent and LaunchDaemon detection. Auditing Login Items closes that gap. The BTM database records the bundle identifier, which includes the campaign-specific string com.apple.finder.monitor.

  3. 03

    Ad-hoc codesigning on Finder.app bundle

    Code signature telemetry

    Monitor for application bundles named Finder.app with Signature=adhoc and TeamIdentifier=not set. The legitimate macOS Finder is signed by Apple with a full Developer ID chain and passes notarization. An ad-hoc signed bundle named Finder is unambiguously non-legitimate.

    Why it works: the malware uses codesign -fs - to self-sign, which is the minimum required to execute a macOS app bundle. It cannot impersonate Apple's signing chain. The signature difference is permanent and detectable without behavioral analysis.

  4. 04

    Script Editor executing network-fetching JXA

    EDR / process telemetry

    Alert on Script Editor.app spawning child processes that access network resources, write files to ~/Library/Application Support/, invoke codesign, or call LSSharedFileListInsertItemURL. Standard Script Editor use does not involve file writes outside the user's working directory or Login Item registration.

    Why it works: The Script Editor execution surface is what bypasses Terminal paste protections. Treating Script Editor as a monitored execution surface, similar to how EDRs treat osascript and bash, catches this campaign's initial execution step without requiring a hash match.

  5. 05

    Non-browser process reading browser credential databases

    File access telemetry

    Alert on any process other than Google Chrome, Firefox, Safari, or recognized browser helpers reading Login Data, logins.json, key4.db, or login.keychain-db. The fake Finder process accesses these files directly via libsqlite3.dylib.

    Why it works: Browsers legitimately read their own credential stores. A process named Finder reading a Chrome SQLite database is not a browser. The file access pattern is the direct indicator of the credential theft stage.

  6. 06

    Keychain access from a non-system, non-browser process

    Keychain / Security framework telemetry

    Monitor SecItemCopyMatching calls with kSecClassGenericPassword originating from processes outside /Applications/ or /System/ paths. The fake Finder binary runs from user Library space and issues Keychain queries from that path context.

    Why it works: Keychain access from a process masquerading as Finder but running from a non-system path is anomalous. Endpoint security frameworks on macOS can expose the calling process path alongside Keychain API calls, making this correlation feasible.

  7. 07

    Outbound HTTPS POST from bundle ID com.apple.finder.monitor

    Network / DNS / proxy telemetry

    Alert on outbound connections to avengerflow[.]com or on HTTPS POST requests originating from the bundle identifier com.apple.finder.monitor. The legitimate Finder does not make outbound HTTPS POST requests; any network activity from this bundle ID is malicious.

    Why it works: Network telemetry on macOS can be attributed to application bundle identifiers. The C2 beacon format (MacOSapp1{...}) is also a distinctive string that should appear in TLS decryption or proxy inspection where available.

Hardening recommendations

Controls are tagged by implementation effort. Quick win = deployable in days with standard MDM or manual configuration. Standard = requires workflow change or policy rollout across managed endpoints.

  1. Verify Maccy downloads against official sources only

    Quick win

    The legitimate Maccy application is distributed exclusively from maccy.app, the GitHub releases page (github.com/p0deje/Maccy/releases), the Mac App Store (publisher Alexey Rodionov, Team Identifier MN3X4648SC), and Homebrew (brew install --cask maccy). Every legitimate build ships as Maccy.app.zip, never as a .dmg. Any DMG claiming to be Maccy should be treated as suspect.

    Verification: run codesign -dvvv Maccy.app and confirm Authority=Developer ID Application: Alexey Rodionov (MN3X4648SC), Notarization Ticket=stapled, and Format=app bundle with Mach-O universal (x86_64 arm64). Ad-hoc signing or a missing Team Identifier indicates a non-legitimate build.

  2. Block delivery domain at DNS and proxy layer

    Quick win

    Block maccyapp[.]com (delivery) and avengerflow[.]com (C2) at DNS resolvers and outbound proxy. The delivery domain is a permanent IOC: the legitimate Maccy project will never use it, and blocking it carries no business risk. The C2 domain should be treated as volatile but blocked for the duration of this campaign.

    Note: the C2 is Cloudflare-fronted, so IP-based blocking alone is insufficient. Domain-level DNS blocking is required.

  3. Audit Login Items for anomalous entries across managed Macs

    Quick win

    Run sfltool dumpbtm to enumerate BTM database entries on managed endpoints. Flag any Login Item entry with a bundle identifier containing com.apple.finder whose path does not resolve to /System/Library/CoreServices/Finder.app. This is the most reliable single check for Fake Maccy Stealer infection across a managed fleet.

    Path:/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm and ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm

  4. Treat Script Editor as a monitored execution surface

    Standard

    macOS Tahoe 26.4 added Terminal paste protections against ClickFix-style attacks. Script Editor is not covered by that protection. Security tooling and endpoint telemetry should treat Script Editor.app as a monitored execution surface alongside osascript and bash, alerting on JXA or AppleScript execution that triggers network connections, file writes to Library directories, or Login Item registration.

    Practical action: add Script Editor to endpoint monitoring policy as a high-risk execution surface. Alert on Script Editor spawning child processes that perform network or persistence activity. Consider MDM-based restrictions on Script Editor access for roles that do not require it.

  5. Reduce persistent Keychain and browser credential exposure

    Standard

    This campaign extracts Keychain entries and browser-saved passwords without privilege escalation, using APIs accessible to any user-context process. Organizations that store sensitive credentials in browser autofill or as generic Keychain entries face full credential exposure from a single successful execution. Shifting to enterprise password manager solutions with process-level access controls reduces the value of credentials accessible to a user-context infostealer.

    Response action: on any confirmed infection, treat all Keychain entries, browser-saved passwords, and clipboard contents from the period of infection as compromised and rotate immediately.

Primary references

Source material this page is built from. Technical claims are drawn from sample analysis, MITRE ATT&CK documentation, platform security documentation, and independent macOS malware research.

See how your macOS endpoints stand against a stealer disguised as Finder.

Malware Protection Plus catches the behavioral patterns that signature-based tools miss.