From Click to Command: Behavioral Detection of AppleScript-Led MacOS Intrusions

2026-06-24 Darktrace

https://www.darktrace.com/blog/from-click-to-command-behavioral-detection-of-applescript-led-macos-intrusions

Thumbnail for From Click to Command: Behavioral Detection of AppleScript-Led MacOS Intrusions

Darktrace observed a recurring intrusion pattern in which ClickFix-style social engineering led macOS users into execution, followed by AppleScript or other native scripting and sustained outbound signaling. The use case is explicitly tied to activity Microsoft linked to DPRK, with Darktrace noting overlap with recent DPRK-nexus macOS intrusion reporting while assigning only moderate attribution confidence based on behavioral alignment. Affected devices made repeated HTTP POSTs and SSL connections to rare or IP-only endpoints including zoom.uswebob.us, check02id.com, and several IP addresses; one macOS case showed possible exfiltration before Autonomous Response blocked the destination. A related Windows case later showed PowerShell traffic to 83.136.208.246 on port 6783 using `/api/daemon`, reinforcing a cross-platform control-channel pattern.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN zoom.uswebob.us 2026-06-24 2026-06-24
IPv4 83.136.210.180 2026-04-16 2026-06-24
IPv4 83.136.208.48 2026-04-16 2026-06-24
DOMAIN check02id.com 2026-04-16 2026-06-24
IPv4 83.136.208.246 2026-04-16 2026-06-24
IPv4 104.145.210.107 2026-04-16 2026-06-24
IPv4 148.72.73.98 2026-04-08 2026-06-24

Related Actors

Related Reports

« Back