The researchers pointed out that the behavior of the Script Editor may vary depending on the macOS version. “On recent versions of macOS Tahoe, an additional warning prompt is presented, requiring the user to allow the script to be saved to disk before execution,” they said.
Lightweight staging for Atomic Stealer
Once executed, the AppleScript resolves to an obfuscated shell command. That command decodes a hidden URL, retrieves a remote payload using ‘curl’, and executes it via ‘zsh’. From here, standard info-stealing takes over with a ‘Mach-O’ binary written to a temporary location, its attributes adjusted, permissions set, and execution triggered.
This binary is a new variant of the Atomic Stealer.
The researchers noted that the staging approach keeps the initial script minimal and less detectable, while the actual malicious logic arrives separately. It is modular, quick to update, and harder to catch at the first stage.