MacOS Infostealer Alert: AppleScript Files Bypass Gatekeeper and Deliver Stealers”

In November 2025, security researcher Pepe Berba detailed (via a technical blog) how attackers are increasingly using compiled AppleScript (.scpt) files as a macOS infection vector, enabling major bypasses of Gatekeeper protections. pepe berba

Emerging Threat: AppleScript Files

Although Apple removed the “right-click → Open” override in 2024, adversaries rapidly adapted. The new vector: lure users into running .scpt files disguised as benign documents (.docx.scpt, .pptx.scpt) or fake installers. pepe berba

Once the user opens the file in Script Editor or executes it, the malicious script drops and executes a stealer payload — including commodity macOS malware such as MacSync and Odyssey. pepe berba

Infection Flow & Social Engineering

Key steps attackers use:

• Disguised .scpt file mimicking a document or update (e.g., “AM Management _Strategic OTC Proposal.docx.scpt”) pepe berba
• The user double-clicks, Script Editor appears prompting “Run” or “▶︎” to allow code. pepe berba
• Behind the scenes, the AppleScript executes shell commands, fetches payloads, and triggers infostealer behaviour. pepe berba
• Attackers also leverage custom icons in zipped or DMG packages to reinforce the illusion of a benign file. pepe berba

Why This Matters for macOS Security

• The technique effectively bypasses Gatekeeper’s normal blocking, because the file is treated as an AppleScript rather than a flagged binary.
• It shows that APT-level techniques (used historically in targeted campaigns) are now migrating into the commodity macOS malware ecosystem. pepe berba
• Many of the .scpt files observed had zero detections on common malware scanning services. pepe berba

Detection & Mitigation Recommendations

• Hunt for file events where extensions like .docx.scpt, .pptx.scpt, or any <common>.scpt appear. pepe berba
• Monitor for executables invoking Script Editor.app unexpectedly, or AppleScript using do shell script / run script commands. pepe berba
• Consider changing the default application for .scpt, .applescript files (e.g., to open in a non-execution viewer) to limit risk. pepe berba
• Strengthen endpoint protection on macOS by enforcing least-privilege, restricting Script Editor usage, and validating code signing.
• Educate users: Be extremely cautious when prompted to “run” or “execute” anything that looks like a document update or installer—even if it appears to originate from a trusted brand.

Source:

• Berba, Pepe. “macOS Infection Vector: Using AppleScripts to bypass Gatekeeper.” November 11 2025. (https://pberba.github.io/security/2025/11/11/macos-infection-vector-applescript-bypass-gatekeeper/)