# Fake Maccy Stealer macOS Infostealer · Rust ARM64 · First seen June 26, 2026 ## Overview Fake Maccy Stealer is a macOS credential stealing campaign that impersonates the legitimate Maccy clipboard manager to deliver a Rust-based infostealer through a deceptive Script Editor execution flow. Instead of exploiting a vulnerability, the campaign relies on user trust, Login Item persistence, and post execution stealth to collect credentials, browser data, and clipboard content while maintaining an active encrypted command channel. The campaign was identified and analyzed by the ManageEngine EDR Threat Intelligence team during investigation of a macOS credential theft operation abusing trusted application workflows and deceptive execution paths. The attacker registered `maccyapp[.]com` as a lookalike for the legitimate Maccy project, which is distributed at `maccy.app` and via GitHub releases by developer Alexey Rodionov. The fake domain serves a `maccy.dmg` disk image — a format that has never appeared in the legitimate Maccy release history, which distributes exclusively as `Maccy.app.zip`. The victim is directed there through SEO-positioned search results appearing alongside the genuine project listing. What distinguishes this campaign from most recent macOS infostealer activity is the execution surface. Rather than the Terminal copy-paste flow used by ClickFix campaigns targeting macOS, Fake Maccy Stealer delivers a JavaScript for Automation (JXA) script that opens in macOS Script Editor when the DMG is mounted. The user is prompted to click Run. Script Editor is a first-party Apple application inheriting full system trust, and Apple’s macOS Tahoe 26.4 Terminal paste protections do not apply to it. The malicious payload is hidden below the visible window through whitespace padding, behind decorative code that references the legitimate App Store URL as a false trust signal. Once executed, the dropper places a Rust-compiled, ARM64-native Mach-O binary inside a fake application bundle named `Finder.app`, using the genuine Apple Finder icon copied from `/System/Library/CoreServices/` and the bundle identifier `com.apple.finder.monitor`. The binary runs as a second Finder process in Activity Monitor, visually indistinguishable from the real one. Persistence is established via Login Items using the `LSSharedFileList` and `SMAppService` APIs, deliberately avoiding LaunchAgents and LaunchDaemons, where detection coverage is densest. The malware harvests macOS Keychain credentials, browser-saved passwords and cookies, and clipboard contents, encrypting the collected data with ChaCha20-Poly1305 (RFC 8439) before exfiltrating to `https://avengerflow[.]com/api/sync`. The C2 channel is bidirectional: the server returns encrypted responses, making the implant a credential-stealing backdoor rather than a one-shot infostealer. At first submission to VirusTotal, the sample was detected by one of 70 engines. The campaign fits within a documented pattern of Russian-speaking MaaS operators targeting macOS professionals with developer-tool lures. The JXA dropper implements four independent CIS geo-fence checks against timezone, country code, keyboard input language, and CPU architecture, aborting silently on machines associated with Russia or eleven other CIS-aligned countries. ### Threat profile Updated June 30, 2026 | Field | Value | |---|---| | Type | Infostealer / Backdoor (macOS) | | First seen | Jun 26, 2026 | | Downstream risk | Full credential compromise · active C2 | | Platform | macOS - ARM64 (Apple Silicon native) | | Language | Rust (confirmed via stdlib strings, TLS symbols, ChaCha20 sigma constant) | | Lure | Fake Maccy clipboard manager (maccyapp[.]com) | | Delivery | Lookalike DMG → JXA dropper via Script Editor | | Persistence | Login Items (LSSharedFileList + SMAppService) | | Masquerade | com.apple.finder.monitor / Finder.app | | Encryption | ChaCha20-Poly1305 (IETF RFC 8439) | | C2 | avengerflow[.]com/api/sync (Cloudflare-fronted) | | Code signing | Ad-hoc - no Apple Developer ID - TeamIdentifier=not set | | VirusTotal | 1 / 70 at first submission | | Operator attribution | CIS geo-fence consistent with Russian-speaking MaaS operators | ## Operational attack chain 1. **Lookalike domain** `maccyapp[.]com` via SEO-positioned search result. 2. **Fake Maccy DMG downloaded** `maccy.dmg` format not used by legitimate project. 3. **JXA script opens in Script Editor** User clicks Run (`⌘ + R`) — no Terminal, no copy-paste. 4. **CIS geo-fence → RC4-decrypted C2 URL** Four anti-targeting checks; key derived from system fingerprint. 5. **Rust binary downloaded & installed** Finder icon cloned · Ad-hoc codesigned. 6. **Login Item persistence registered** `LSSharedFileList` + `SMAppService` — appears as “Finder” in System Settings. 7. **Credential theft and clipboard capture** Keychain · browser SQLite · `NSPasteboard` · PAM interception. 8. **ChaCha20-Poly1305 exfiltration → active C2** HTTPS POST to `avengerflow[.]com` · bidirectional implant. The Script Editor lure is what separates this campaign from Terminal-based ClickFix flows. The execution path is the same approval gesture — clicking Run in a trusted Apple application — but it entirely bypasses the Terminal paste protections added in macOS Tahoe 26.4. ## Tactics, techniques, and procedures Fake Maccy Stealer stacks seven distinct evasion layers across the initial access, execution, persistence, defense evasion, credential access, and exfiltration phases. The highest technique density is in defense evasion, where the malware combines masquerading, obfuscation, sandbox evasion geo-fencing, hidden window flags, and trust control abuse into a single delivery chain. ### MITRE ATT&CK coverage | Tactic | Techniques | What Fake Maccy Stealer does | |---|---|---| | Initial Access | [Drive-by Compromise T1189](https://attack.mitre.org/techniques/T1189/) | SEO-positioned lookalike domain (`maccyapp[.]com`) serves a malicious DMG to users searching for the legitimate Maccy clipboard manager. | | Execution | [User Execution: Malicious File T1204.002](https://attack.mitre.org/techniques/T1204/002/)
[Command & Scripting: JavaScript T1059.007](https://attack.mitre.org/techniques/T1059/007/) | Victim clicks Run inside macOS Script Editor to execute the obfuscated JXA dropper. No exploit, no CVE. Execution is user-approved in a trusted Apple application. | | Persistence | [Login Items T1547.015](https://attack.mitre.org/techniques/T1547/015/) | Registers fake `Finder.app` as a Login Item using `LSSharedFileList` and `SMAppService`. Entry appears as “Finder” in System Settings → General → Login Items. | | Defense Evasion | [Masquerade: Match Legitimate Name T1036.005](https://attack.mitre.org/techniques/T1036/005/)
[Hide Artifacts: Hidden Files T1564.001](https://attack.mitre.org/techniques/T1564/001/)
[Hide Artifacts: Hidden Window T1564.003](https://attack.mitre.org/techniques/T1564/003/)
[Obfuscated Files: Command Obfuscation T1027.010](https://attack.mitre.org/techniques/T1027/010/)
[Obfuscated Files or Information T1027](https://attack.mitre.org/techniques/T1027/)
[Subvert Trust Controls T1553](https://attack.mitre.org/techniques/T1553/) | Uses bundle ID `com.apple.finder.monitor`, hex-named binary, genuine Finder icon, hidden UI flags, dotfiles, string reversal/XOR/URI obfuscation, ChaCha20-Poly1305 encryption, and Script Editor trust abuse to evade detection. | | Credential Access | [Keychain T1555.001](https://attack.mitre.org/techniques/T1555/001/)
[Credentials from Browsers T1555.003](https://attack.mitre.org/techniques/T1555/003/) | Extracts Keychain entries via `SecItemCopyMatching`. Reads Chrome, Firefox, and Safari credential stores directly. Links `libpam.2.dylib` for authentication interception. | | Discovery | [System Information Discovery T1082](https://attack.mitre.org/techniques/T1082/) | Collects timezone, locale, keyboard language, CPU architecture, OS version, and hardware ID for geo-fencing and fingerprinting. | | Collection | [Clipboard Data T1115](https://attack.mitre.org/techniques/T1115/)
[Data from Local System T1005](https://attack.mitre.org/techniques/T1005/) | Captures clipboard via `NSPasteboard`. Reads browser databases and Keychain artifacts from disk. | | Command and Control | [Web Protocols T1071.001](https://attack.mitre.org/techniques/T1071/001/)
[Encrypted Channel: Symmetric T1573.001](https://attack.mitre.org/techniques/T1573/001/) | HTTPS POST to `avengerflow[.]com/api/sync` via `NSURLSession`. Bidirectional encrypted C2 using ChaCha20-Poly1305. | | Exfiltration | [Exfiltration Over C2 Channel T1041](https://attack.mitre.org/techniques/T1041/) | Encrypts all collected data and sends over established HTTPS C2 channel. | Reconnaissance, privilege escalation, lateral movement, and impact techniques were not observed. The malware operates entirely in user session context. ## Indicators of compromise ### File system paths (durable) - `~/Library/Application Support/com.apple.finder.monitor/` - `~/Library/Application Support/com.apple.finder.monitor/Finder.app/Contents/MacOS/` - `~/Library/Application Support/com.apple.finder.monitor/.config` - `~/Library/Application Support/com.apple.finder.monitor/.Maccy` - `~/Library/Caches/com.apple.finder.monitor/` - `~/Library/HTTPStorages/com.apple.finder.monitor/` - Bundle identifier: `com.apple.finder.monitor` ### Process and identity patterns (durable) - `Finder.app` running from any path other than `/System/Library/CoreServices/Finder.app` - `Signature=adhoc · TeamIdentifier=not set` on a `Finder.app` bundle - Login Item named “Finder” outside `/System/Library/CoreServices/` - C2 beacon prefix: `MacOSapp1{"data":"...` ### Network behavior (volatile) - `avengerflow[.]com` - `https://avengerflow[.]com/api/sync` - `172.67.210.219` (Cloudflare front) - `104.21.93.138` (Cloudflare front) - `51.92.110.33` (suspected AWS EC2 origin, eu-south-2 Spain) ### File hashes (volatile) - `45bd0e321aa85b63b5dee4e87465e4088546eea5da6efb9c96847023384c48c9` — SHA-256 (`maccy.dmg`) - `0b7529782694bee95f784a854ef3abb8f4056f61408fbc0f72cfafa5e416bc73` — SHA-256 (EDR capture variant) ## Detection guidance Signature-based detection largely fails against this campaign. The behavioral chain is decisive. 1. **Second Finder process from non-system path** Alert on any process named `Finder` whose executable path does not begin with `/System/Library/CoreServices/Finder.app`. 2. **Login Item audit: Finder from non-system path** Enumerate Login Items and flag entries named “Finder” or bundle ID `com.apple.finder.monitor` resolving outside CoreServices. 3. **Ad-hoc codesigning on Finder.app bundle** Detect `Finder.app` bundles with `Signature=adhoc` and no Team Identifier. 4. **Script Editor executing network-fetching JXA** Alert on `Script Editor.app` spawning network access, writing to `~/Library/Application Support/`, invoking `codesign`, or registering Login Items. 5. **Non-browser process reading browser credential databases** Alert on non-browser processes accessing `Login Data`, `logins.json`, `key4.db`, or `login.keychain-db`. 6. **Keychain access from non-system process** Monitor `SecItemCopyMatching` calls for `kSecClassGenericPassword` from processes outside `/Applications/` or `/System/`. 7. **Outbound HTTPS POST from bundle ID `com.apple.finder.monitor`** Alert on outbound HTTPS traffic or POST requests from this bundle ID. The legitimate Finder does not generate such traffic. ## Hardening recommendations 1. **Verify Maccy downloads against official sources only** Legitimate sources: `maccy.app`, [GitHub releases](https://github.com/p0deje/Maccy/releases), Mac App Store (Alexey Rodionov, Team ID `MN3X4648SC`), Homebrew (`brew install --cask maccy`). Legitimate builds ship as `Maccy.app.zip`, never `.dmg`. Verification: ``` codesign -dvvv Maccy.app ``` Confirm: - `Authority=Developer ID Application: Alexey Rodionov (MN3X4648SC)` - `Notarization Ticket=stapled` - Universal binary (x86_64 arm64) 2. **Block delivery and C2 domains** - `maccyapp[.]com` - `avengerflow[.]com` Use DNS-level blocking (Cloudflare-fronted infrastructure makes IP blocking insufficient). 3. **Audit Login Items across managed Macs** ``` sfltool dumpbtm ``` Inspect: - `/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm` - `~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` 4. **Treat Script Editor as a monitored execution surface** Add `Script Editor.app` to endpoint monitoring policies. Alert on network activity, persistence registration, or Library writes originating from it. 5. **Reduce persistent Keychain and browser credential exposure** On confirmed infection: - Isolate host immediately. - Rotate all Keychain entries and browser-saved credentials. - Invalidate active sessions. - Treat clipboard contents during infection window as exposed. ## Primary references - [MITRE ATT&CK — T1547.015: Boot or Logon Autostart Execution: Login Items](https://attack.mitre.org/techniques/T1547/015/) - [MITRE ATT&CK — T1059.007: Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/) - [Microsoft Threat Intelligence — ClickFix campaign uses fake macOS utilities lures to deliver infostealers](https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/) - [Microsoft Defender Experts — Hunting Infostealers: macOS Threats](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/hunting-infostealers---macos-threats/4494435) - [Maccy — Official GitHub repository (p0deje/Maccy)](https://github.com/p0deje/Maccy) - [Patrick Wardle — The Art of Mac Malware: Persistence](https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf) - [MITRE ATT&CK — Enterprise framework reference](https://attack.mitre.org/)