Fake Maccy Clipboard Manager Delivers Rust Infostealer to macOS Users

Credited by Unsplash
VTA-000187 – Fake Maccy Clipboard Manager Delivers Rust Infostealer to macOS Users

A sophisticated macOS credential-theft campaign is targeting users through a fake version of the legitimate Maccy clipboard manager application. The threat actors registered a lookalike domain, maccyapp[.]com, to impersonate the genuine Maccy project, which is normally distributed at maccy.app and through GitHub releases. The campaign delivers a Rust-based infostealer, confirmed via stdlib strings, TLS symbols, and the ChaCha20 sigma constant, disguised as the trusted clipboard tool, specifically targeting macOS professionals through SEO-poisoned search results that appear alongside legitimate project listings. Unlike authentic Maccy releases, which distribute as Maccy.app.zip files, the malicious version is delivered as a maccy.dmg disk image, a format never used by the legitimate developer. The malware establishes deep system persistence and maintains bidirectional encrypted command-and-control channels, making it a full-featured backdoor rather than a simple one-time data stealer.

The attack chain begins when victims download the fake DMG and mount it, which triggers a JavaScript for Automation (JXA) script that opens in macOS Script Editor rather than Terminal. This execution method deliberately sidesteps Apple’s Terminal paste protections introduced in macOS Tahoe 26.4, since Script Editor is a first-party Apple application that inherits full system trust and those protections do not apply to it. When the user clicks Run, the malicious payload executes despite being hidden below the visible window through whitespace padding and deceptive code that references the legitimate App Store URL as a false trust signal. The dropper then deploys a Rust-compiled ARM64-native Mach-O binary inside a fake application bundle named Finder.app, complete with the genuine Apple Finder icon copied from system directories and the bundle identifier com.apple.finder.monitor. This masquerading technique makes the malicious process appear as a second Finder process in Activity Monitor, visually indistinguishable from the legitimate system component. Persistence is established through Login Items using the LSSharedFileList and SMAppService APIs, deliberately avoiding LaunchAgents and LaunchDaemons where security tools typically focus detection efforts. The malware includes four independent geofencing checks against timezone, country code, keyboard language, and CPU architecture, aborting silently on systems associated with Russia or eleven other CIS-aligned countries.

This campaign represents a significant evolution in macOS targeting because it harvests Keychain credentials, browser-saved passwords and cookies, and clipboard contents, encrypting all collected data with ChaCha20-Poly1305 before exfiltration to avengerflow[.]com. The command-and-control channel is bidirectional, with the server returning encrypted responses that enable the implant to function as an active backdoor capable of receiving additional commands. At initial submission to VirusTotal, the sample was detected by only 1 of 70 antivirus engines, demonstrating extremely effective evasion. The campaign fits a documented pattern of Russian-speaking malware-as-a-service operators targeting macOS professionals with developer-tool lures, exploiting the trust users place in legitimate utilities. Organizations should immediately verify that Maccy installations were obtained from official sources, implement application allowlisting to prevent execution of unsigned or ad-hoc-signed binaries masquerading as system components, monitor for unexpected Login Items entries (particularly those mimicking system processes), inspect outbound HTTPS connections to newly registered domains, and deploy endpoint detection capable of identifying Rust-compiled malware and ChaCha20-Poly1305 encrypted exfiltration patterns. The abuse of Script Editor as a trusted execution surface highlights the need for organizations to reassess which first-party Apple applications can execute arbitrary code without additional scrutiny.

Severity:

High

Attack Surface:
Endpoint OS, Web Browser

Tactics:

Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Collection, Command and Control, Exfiltration

Techniques:

T1189 – Drive-by Compromise

T1204.002 – User Execution: Malicious File

T1059.007 – Command and Scripting Interpreter: JavaScript

T1547.015 – Boot or Logon Autostart Execution: Login Items

T1036.005 – Masquerading: Match Legitimate Name or Location

T1564.001 – Hide Artifacts: Hidden Files and Directories

T1564.003 – Hide Artifacts: Hidden Window

T1027.010 – Obfuscated Files or Information: Command Obfuscation

T1027 – Obfuscated Files or Information

T1553 – Subvert Trust Controls

T1555.001 – Credentials from Password Stores: Keychain

T1555.003 – Credentials from Password Stores: Credentials from Web Browsers

T1082 – System Information Discovery

T1115 – Clipboard Data

T1005 – Data from Local System

T1071.001 – Application Layer Protocol: Web Protocols

T1573.001 – Encrypted Channel: Symmetric Cryptography

T1041 – Exfiltration Over C2 Channel

References:

1. https://github.com/p0deje/Maccy

2. https://www.manageengine.com/malware-protection/adversaries/fakemaccy-stealer.html

SuperPRO’s Threat Countermeasures Procedures:

1. Block network access to maccyapp[.]com and avengerflow[.]com at the DNS and firewall level to prevent initial download and C2 communication with the fake Maccy infrastructure

2. Verify all Maccy clipboard manager installations originated from the legitimate maccy.app domain or official GitHub releases at github.com/p0deje/Maccy and remove any installations from maccyapp[.]com or distributed as DMG files

3. Inspect Login Items in System Settings for entries named Finder with bundle identifier com.apple.finder.monitor or any non-standard Finder processes and remove unauthorized entries using the SMAppService or LSSharedFileList APIs

4. Deploy endpoint detection rules to identify Rust-compiled Mach-O binaries using ChaCha20-Poly1305 encryption libraries and flag processes masquerading with system bundle identifiers like com.apple.finder.monitor

5. Monitor for JavaScript for Automation (JXA) script execution in Script Editor targeting SecItemCopyMatching API calls for Keychain access and libpam.2.dylib linking for authentication interception

6. Implement application allowlisting to block execution of ad-hoc codesigned binaries in non-standard application bundle locations particularly those using dotfile naming conventions like .config or .lock

7. Alert on outbound HTTPS POST requests to /api/sync endpoints on newly registered domains fronted by Cloudflare that contain the beacon prefix MacOSapp1 or ChaCha20-Poly1305 encrypted payload

Contributed by: Ahmad Akmal