Chainbase Labs, in collaboration with the SlowMist security team, has identified and analyzed a targeted phishing campaign aimed at macOS users. The attack is disguised as legitimate “audit/compliance confirmation” communications. Attackers initiate contact by prompting recipients to confirm their company’s legal English name. They then follow up with urgent requests related to “FY2025 External Audit” or “Token Vesting Confirmation” deadlines, delivering malicious Word or PDF attachments. These files employ social engineering tactics to trick victims into opening them and following instructions, leading to credential theft or sensitive data exfiltration. Technical analysis reveals a multi-stage, fileless attack chain. The initial payload is an AppleScript file masquerading as a Word document (e.g., `Confirmation_Token_Vesting.docx.scpt`). This script performs reconnaissance, gathering system details like CPU architecture and macOS version, and downloads the next stage payload from a command-and-control (C2) server. The subsequent malicious script displays fake progress bars and highly convincing system password prompts to steal user credentials. It then attempts to bypass macOS’s Transparency, Consent, and Control (TCC) framework by manipulating system databases. This grants the malware unauthorized access to sensitive areas like the Documents folder, Desktop, camera, and screen recording. The final stage establishes a persistent backdoor by deploying a Node.js-based remote access trojan (`index.js`). This module collects extensive system information and establishes a communication channel with the C2 server, enabling remote code execution and further payload delivery. The primary malicious domain, `sevrrhst[.]com`, was registered recently (January 23, 2026) and uses a low-cost certificate, indicating a disposable infrastructure. The associated IP address (`88.119.171.59`) is linked to over ten similar malicious domains. Security Recommendations: 1. If you have executed a suspicious attachment or entered your password, immediately disconnect the affected device from the network. Conduct forensic analysis, isolate the system, and backup critical assets before remediation. 2. Affected users should run the terminal command `tccutil reset All` to clear TCC database entries illegitimately granted to the malware. 3. Identify and terminate any malicious Node.js processes running from hidden directories. Indicators of Compromise (IOCs), including file hashes (SHA256) and malicious URLs, have been published to aid detection and prevention efforts.