Bypass Record

Masquerading × Apple macOS

A publicly-reported instance of Masquerading bypassing Apple macOS, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Apple macOS

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2026-05-18

Config / version noted

Yes

Provenance

www.sentinelone.com
disclosed 2026-05-18 · original source · via brave
techradar.com
disclosed 2026-05-19 · original source · via brave
simplywall.st
disclosed 2026-05-20 · original source · via brave

Reported as

bypassing Terminal and Apple's TCC 26.4 mitigations

Mechanism

The malware leverages the applescript:// URL scheme to open macOS Script Editor pre-populated with a malicious AppleScript. This bypasses Terminal-based execution and sidesteps Apple's Transparency, Consent, and Control (TCC) 26.4 mitigations that would normally block such script execution flows.

Detection & mitigation

Monitor for execution of Script Editor (osascript or Script Editor.app) with suspicious URL scheme invocations (e.g., applescript://) from non-interactive processes or browsers. Enforce application control policies to block or alert on applescript:// URL handling and restrict Script Editor execution via MDM.

Masquerading has also been recorded against

Anti Cheat Expert Carbon Black Cortex XDR Easy Anti-Cheat Enigma Protector Gepard Shield Mhyprot Microsoft nProtect Palo Alto Networks Riot Vanguard Safegine Shielden

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.