From Click to Command: Behavioral Detection of AppleScript-Led MacOS Intrusions
2026-06-24 • Darktrace •
Darktrace observed a recurring intrusion pattern in which ClickFix-style social engineering led macOS users into execution, followed by AppleScript or other native scripting and sustained outbound signaling. The use case is explicitly tied to activity Microsoft linked to DPRK, with Darktrace noting overlap with recent DPRK-nexus macOS intrusion reporting while assigning only moderate attribution confidence based on behavioral alignment. Affected devices made repeated HTTP POSTs and SSL connections to rare or IP-only endpoints including zoom.uswebob.us, check02id.com, and several IP addresses; one macOS case showed possible exfiltration before Autonomous Response blocked the destination. A related Windows case later showed PowerShell traffic to 83.136.208.246 on port 6783 using `/api/daemon`, reinforcing a cross-platform control-channel pattern.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | zoom.uswebob.us | 2026-06-24 | 2026-06-24 |
| IPv4 | 83.136.210.180 | 2026-04-16 | 2026-06-24 |
| IPv4 | 83.136.208.48 | 2026-04-16 | 2026-06-24 |
| DOMAIN | check02id.com | 2026-04-16 | 2026-06-24 |
| IPv4 | 83.136.208.246 | 2026-04-16 | 2026-06-24 |
| IPv4 | 104.145.210.107 | 2026-04-16 | 2026-06-24 |
| IPv4 | 148.72.73.98 | 2026-04-08 | 2026-06-24 |