Overview
Fake Maccy Stealer is a macOS credential stealing campaign that impersonates the legitimate Maccy clipboard manager to deliver a Rust-based infostealer through a deceptive Script Editor execution flow. Instead of exploiting a vulnerability, the campaign relies on user trust, Login Item persistence, and post execution stealth to collect credentials, browser data, and clipboard content while maintaining an active encrypted command channel. The campaign was identified and analyzed by the ManageEngine EDR Threat Intelligence team during investigation of a macOS credential theft operation abusing trusted application workflows and deceptive execution paths.
The attacker registered maccyapp[.]com as a lookalike for the legitimate Maccy project, which is distributed at maccy.app and via GitHub releases by developer Alexey Rodionov. The fake domain serves a maccy.dmg disk image - a format that has never appeared in the legitimate Maccy release history, which distributes exclusively as Maccy.app.zip. The victim is directed there through SEO positioned search results appearing alongside the genuine project listing. What distinguishes this campaign from most recent macOS infostealer activity is the execution surface. Rather than the Terminal copy-paste flow used by ClickFix campaigns targeting macOS, Fake Maccy Stealer delivers a JavaScript for Automation (JXA) script that opens in macOS Script Editor when the DMG is mounted. The user is prompted to click Run. Script Editor is a first-party Apple application inheriting full system trust, and Apple's macOS Tahoe 26.4 Terminal paste protections do not apply to it. The malicious payload is hidden below the visible window through whitespace padding, behind decorative code that references the legitimate App Store URL as a false trust signal.
Once executed, the dropper places a Rust-compiled, ARM64-native Mach-O binary inside a fake application bundle named Finder.app, using the genuine Apple Finder icon copied from /System/Library/CoreServices/ and the bundle identifier com.apple.finder.monitor. The binary runs as a second Finder process in Activity Monitor, visually indistinguishable from the real one. Persistence is established via Login Items using the LSSharedFileList and SMAppService APIs, deliberately avoiding LaunchAgents and LaunchDaemons, where detection coverage is densest.
The malware harvests macOS Keychain credentials, browser-saved passwords and cookies, and clipboard contents, encrypting the collected data with ChaCha20-Poly1305 (RFC 8439) before exfiltrating to https://avengerflow[.]com/api/sync. The C2 channel is bidirectional: the server returns encrypted responses, making the implant a credential-stealing backdoor rather than a one shot infostealer. At first submission to VirusTotal, the sample was detected by one of 70 engines. The campaign fits within a documented pattern of Russian speaking MaaS operators targeting macOS professionals with developer-tool lures. The JXA dropper implements four independent CIS geo-fence checks against timezone, country code, keyboard input language, and CPU architecture, aborting silently on machines associated with Russia or eleven other CIS aligned countries.