High Severity

macOS malware: Compiled AppleScript with document double-extension

Labels

Description

Detects compiled AppleScript files (.scpt) with document double-extensions (e.g., .docx.scpt, .pdf.scpt) commonly used in DPRK-attributed macOS malware campaigns. These files open in Script Editor when double-clicked and use social engineering (fake compatibility errors) to trick users into executing malicious reconnaissance scripts that fetch subsequent payload stages.

References

https://delivr.to/payloads?id=9fd3974a-b764-4011-b3ea-f4eeb993aa5b

Sublime Security

Created Feb 5th, 2026 • Last updated Feb 5th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// attachment with .scpt extension (compiled AppleScript)
and any(attachments,
        .file_extension == "scpt"
        // double extension pattern: common document extensions followed by .scpt
        and regex.icontains(.file_name,
                            '\.(doc|docx|pdf|xls|xlsx|ppt|pptx|txt|rtf)\.scpt$'
        )
        // ensure it's actually a binary/script file, not just renamed
        // compiled AppleScript files are binary and have minimum size
        and (.file_type == "unknown" or .file_type == "exe")
        // compiled .scpt files are binary, should have reasonable size
        and .size > 1000
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.