Introduction
Darktrace’s Threat Research team is publishing this analysis to help defenders understand an active pattern of macOS tradecraft observed in multiple customer environments. This post summarizes the behaviors observed, how they were assessed, and what defenders can do now.
Across multiple environments, Darktrace observed a consistent MacOS intrusion pattern beginning with ClickFix-style user-assisted “update” execution and transitioning into AppleScript-driven post-compromise activity and sustained outbound signaling.
While individual indicators were low-confidence, the repeated convergence of weak behavioral signals — including HTTP POST beaconing, rare or IP-only destinations, SSL anomalies, and abnormal client characteristics — provided a defensible indication of command-and-control establishment Darktrace detection and response in these cases was driven by behavior over artifacts. In the highest-confidence instances, automated containment disrupted outbound signaling before sustained tasking could occur.
Background
ClickFix-style activity typically relies on user-assisted execution and plausible “update” pretexting, followed by post-execution use of native tools to keep the footprint light. In MacOS environments, AppleScript and other built-in scripting mechanisms enable flexible post-compromise workflows while minimizing stable file-based indicators.
Following execution, affected devices exhibited a consistent behavioral pattern. AppleScript or equivalent native scripting activity was observed initiating follow-on workflows, after which outbound communications began to establish a structured rhythm.
These communications were characterized by repeated HTTP POST requests to low-prevalence or IP-only endpoints, often combined with unusual SSL properties and client identifiers that diverged from baseline device behavior. Individually, these signals were weak. When correlated across time and devices, they formed a pattern consistent with control establishment rather than benign software activity.
In higher-confidence cases, Autonomous Response actions were able to reduce or halt outbound signaling, interrupting the attacker’s ability to maintain control.
Detection Timeline
In representative cases, the sequence unfolded as follows:
Stage 1 – Initial Execution
Initial activity began with suspicious or masqueraded execution on a MacOS endpoint, consistent with ClickFix-style user deception.
Stage 2 – Post-Execution Scripting
This was followed closely by native scripting activity, most commonly AppleScript, indicating the transition into post-execution workflow.
Stage 3 – Outbound Communications
Outbound communications then emerged, initially sporadic but quickly forming a consistent cadence of HTTP POST requests to rare external endpoints.
Stage 4 – Anomaly Convergence
As activity persisted, additional anomalies became visible — unusual SSL characteristics, abnormal user agents, and connections to infrastructure with no prior network prevalence.
Stage 5 – Autonomous Response
In the most mature stages of the activity, automated containment actions disrupted outbound communications on affected devices, limiting the attacker’s ability to continue tasking while investigations progressed.
Darktrace coverage and detections
The following use-case highlights systems likely affected by malicious macOS intrusion activity linked by Microsoft to the Democratic People’s Republic of Korea (DPRK) [1], with indications of suspicious behavior observed between March 1 and May 3, 2026. The activity overlaps with patterns described in recent reporting on DPRK-nexus MacOS intrusions [1], though attribution confidence in this case remains moderate and based on behavioral alignment rather than solely infrastructure linkage.
Analyst confidence emerged through the correlation of multiple weak signals across time and devices. This included model coverage for rare external communications, sustained beaconing patterns, repeated HTTP POSTs, and anomalous client characteristics. Where enabled, Autonomous Response actions disrupted the most active outbound paths to reduce the attacker’s ability to maintain control while Darktrace’s investigation continued.
Notably, this highly anomalous behavior included:
- Outbound connections to the rare external endpoint, zoom[.]uswebob[.]us associated with IP address, 148.72.73[.]98 [2][3] over port 443
- Outbound connections to the rare external endpoint, check02id[.]com associated with IP address, 83.136.210[.]180 [4] over port 7365
- Outbound connections to the rare external endpoints, 104.145.210[.]107 [5] over port 8443 and 83.136.208[.]48 [6] over port 443
- Outbound connections to the rare external endpoint, 83.136.208[.]246 [7] over port 6783 with observed URI `/api/daemon` and a PowerShell user agent
Darktrace’s detection initially highlighted a desktop device (running MacOS) engaging in anomalous behavior as early as March 12, 2026. Starting on March 12, the source device triggered a ‘Possible Doppelganger Attack’ alert including connectivity to the hostname "zoom[.]uswebob[.]us · 148.72.73[.]98" over port 443 (TCP, HTTPS, H2). This model highlights a device connecting to a location that is rare but masquerades as legitimate software, such as Zoom in this case, a commonly used technique to blend into expected traffic [2] [3].
![Initial connectivity observed to the rare external hostname, zoom[.]uswebob[.]us · 148.72.73[.]98, over port 443.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6a3c241a851b82605cdf62fb_Screenshot%202026-06-24%20at%2011.38.14%E2%80%AFAM.png)
This was followed roughly seven later by a connection to 104.145.210[.]107 over port 8443, during which approximately 250 KiB of data of inbound data and 30 MiB of outbound data was observed, triggering the ‘Unusual Activity / Unusual External Data to New Endpoint’ in Darktrace.
Quickly after this connection, Darktrace’s Autonomous Response intervened, blocking the device’s access to the unusual external location and halting the data exfiltration attempt.
The device continued to consistently trigger model alerts relating to unusual external connectivity, including 'Posting HTTP to IP Without Hostname', 'Anomalous Connection / Rare External SSL Self-Signed' alerts, until well after 3 PM that day.
From March 13 to March 28, the device continued exhibit unusual connectivity to various endpoints (e.g., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180), with the 'Multiple HTTP POSTs to Rare Hostname' model consistently triggering.
Windows OS Case
Pivoting over to an additional device, this time running Windows OS, anomalous behavior was also observed between March 30 and April 20. Notably, on March 30, the device was observed making a large number of suspicious external connection attempts to 83.136.208[.]246 over port 6783, all of which failed.
A further indicator was observed on April 1 with PowerShell connectivity to the same rare endpoint (83.136.208[.]246, port 6783), using the URI '/api/daemon' and the user agent 'Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920'. Additional alerts included 'New User Agent to IP Without Hostname' and 'Anomalous Github Download', alongside activity involving the same endpoint.
The device continued triggering 'Posting HTTP to IP Without Hostname' & 'PowerShell to External Rare' alerts between April 4 and April 20 across multiple related endpoints (i.e., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180).
Darktrace’s Autonomous Response capability was able to block suspicious PowerShell attempts to unusual external locations, as shown below in an example from April 20.
Cyber AI Analyst investigations
In higher-confidence instances, Darktrace’s Cyber AI Analyst investigations helped connect otherwise separate model alerts into a single incident narrative, highlighting the attacker’s progression from post-execution scripting into sustained outbound signaling. This contextual stitching is particularly valuable in macOS scenarios where static artefacts are limited, and behavioral sequencing defines the intrusion.
Cyber AI Analyst investigations highlighted alerts on March 12, including unusual repeated connections and possible SSL command-and-control (C2) to multiple endpoints:
Autonomous Response
In addition to the containment actions detailed earlier, Autonomous Response implemented multiple additional measures to contain suspicious activity throughout the course of this attack. Whenever unusual external connectivity was detected, Darktrace blocked it, closing down potential C2 channels. Likewise, when data exfiltration attempts were identified, these connections were stopped to prevent the potential loss of sensitive data.
Furthermore, in cases where a device was deemed to have carried out a significant number of anomalous activities, Darktrace enforced a “pattern of life” on the device, preventing it from deviating from its expected behavior while allowing legitimate business operations to continue uninterrupted.
Conclusion
macOS intrusion tradecraft continues to shift toward native tooling and lightweight control channels designed to evade signature-led controls.
The repeated convergence of rare destinations, POST-based signaling, and anomalous client behavior — observed across time and across devices — provided sufficient evidence to act early and with confidence.
As macOS tradecraft continues to evolve, the defender advantage increasingly lies not in signatures, but in the ability to reason from behavior.
Credit to Justin Torres (Senior Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO)
Edited by Ryan Traill (Content Manager)
Appendices
Darktrace Model Alert Coverage:
/ NETWORK-based model alerts:
· Anomalous Connection::Multiple HTTP POSTs to Rare Hostname
· Anomalous Connection::Rare External SSL Self-Signed
· Anomalous Connection::Powershell to Rare External
· Anomalous Connection::New User Agent to IP Without Hostname
· Anomalous Connection::Posting HTTP to IP Without Hostname
· Compromise::Fast Beaconing to DGA
· Compromise::Large Number of Suspicious Failed Connections
· Device::Anomalous Github Download
· Device::New PowerShell User Agent
· Unusual Activity::Unusual External Data to New Endpoint
/ NETWORK-based Autonomous Response model alerts:
· Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block
· Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach
· Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block
Indicators of Compromise (IoCs)
IP/Hostname:
· zoom[.]uswebob[.]us · 148.72.73[.]98
· 83.136.208[.]246
· check02id[.]com · 83.136.210[.]180
· 83.136.208[.]48
· 104.145.210[.]107
URIs:
· /api/daemon
Destination Port Usage:
· 6783
· 5202
· 443
· 7365
· 8443
ASN:
· AS400897 PETROSKY
· AS398256 AS-ULTAHOST
User agents:
· Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920
· Go-http-client/1.1
· curl/8.7.1
MITRE ATT&CK Mapping
(Technique Name - Tactic - ID - Sub-Technique of)
· Browser Session Hijacking - COLLECTION - T1185
· Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071
· Install Digital Certificate - RESOURCE DEVELOPMENT - T1608.003 - T1608
· PowerShell - EXECUTION - T1059.001 - T1059
· Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568
· Non-Standard Port - COMMAND AND CONTROL - T1571
· Malware - RESOURCE DEVELOPMENT - T1588.001 - T1588
· Web Service - COMMAND AND CONTROL - T1102
· Code Repositories - COLLECTION - T1213.003 - T1213
· Exploitation of Remote Services - LATERAL MOVEMENT - T1210
· Exfiltration Over C2 Channel - EXFILTRATION - T1041
· Exfiltration to Cloud Storage - EXFILTRATION - T1567.002 - T1567
References:
[2] https://radar.securityalliance.org/advisory-on-dprk-unc1069-fake-microsoft-teams-and-zoom-calls/
[3] https://www.virustotal.com/gui/domain/uswebob.us
[4] https://www.virustotal.com/gui/ip-address/83.136.210.180/community
[5] https://www.virustotal.com/gui/ip-address/104.145.210.107/community
[6] https://www.virustotal.com/gui/ip-address/83.136.208.48/community
[7] https://www.virustotal.com/gui/ip-address/83.136.208.246/community
[8] https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign
