We recently detected a malvertising campaign distributing malware: a trojanized macOS Electron installer. The ad campaign was disguised to look like a legitimate personal open-source project called “Jarvis AI Assistant,” a speech-to-text project with 500 stars on GitHub. “Jarvis” is a popular name in the AI world (thanks to Iron Man), so there is no single, definitive “Jarvis AI project.”

The actor in this campaign constructed a fully functional GitHub lookalike that dynamically mirrors content from Jarvis’ actual GitHub (akshayaggarwal99/jarvis-ai-assistant), creating a convincing facade over the malicious landing page domain to deliver malicious binaries to macOS users.

The ad uses Zero Width Space (ZWSP) Unicode characters embedded in the ad text to evade detection—an adaptation of homoglyph attacks. Users who click the ad will end up downloading a trojanized DMG file from infrastructure controlled by the threat actor. These DMGs install a working “Jarvis” voice AI that—by the legitimate app’s own design—already possesses system-wide keyboard, microphone, screen, AppleScript, and shell-execution capabilities.

Because "Jarvis" is a voice assistant, you willingly give it permission to use your mic, screen, and keyboard. The attackers are basically hitching a ride on the permissions you already granted the "real" app.

The DMG (a Mac disk image) container itself is the malicious add-on. Inside the file's code is an XML DTD pointer that beacons to attacker infrastructure upon parsing. It ‘pings’ the attacker's server to say, "Hey, I just landed on a new Mac, here’s my location."

For evasion, the attackers used a non-standard UDIF wrapper (basically the "packaging" of the DMG file) that breaks automated triage and security scanners. It’s like hiding something inside a box that is folded so weirdly an X-ray machine doesn't know how to read it.

User Journey and Circumvention

The attack chain begins with a programmatic ad depicting the Jarvis AI application for macOS. By mimicking a legitimate productivity tool, the ad targets users looking for AI-driven voice assistance. Once a user is engaged by the creative, the redirection process begins, leading them through a series of spoofed environments designed to build trust before the final payload is delivered.

Technical Breakdown of the Ad Text

Zero-width space characters are non-printing characters used in computerized typesetting to indicate where word boundaries are, without displaying a visible space in the rendered text.

The ad text contains invisible ZWSP characters strategically placed within high-signal keywords. This technique is done to evade pattern matching and keyword-based malvertising detection and human review, while preserving readability for the ad.

Clicking the ad directs users to serverji[.]com, which presents a cloned product site for the Jarvis project (jarvis.ceo/) promoting the software. The download button navigates to serverji[.]com/download, offering architecture-specific download options (Apple Silicon / Intel). It includes a "Download for Mac" CTA and a "We're now open source! Star us on GitHub" badge.

Upon selecting an architecture, users are redirected to a subdomain (un5q021ctkzm0.serverji[.]com) hosting a GitHub lookalike. This fake repository mirrors the exact structure and content of the legitimate GitHub project, providing a false sense of security through visual familiarity.

The download link on this fake GitHub release page delivers the malicious DMG file instead of the legitimate application. By the time a user reaches this stage, the combination of the mirrored repository and the official-looking “release” page makes the download appear authentic.

Mirrored, Malicious GitHub Repository

The actor deployed a functional GitHub clone on a subdomain that dynamically scraped and rendered content from the legitimate repository. To maximize authenticity, the clone included:

• Release pages featuring accurate version tags and malicious download links.

• Developer profiles cloned directly from the real maintainer.

• Pull request histories scraped from the authentic repository.

• GitHub Actions workflows to simulate a state of active development.

• Copilot code review comments to further enhance credibility.

Why the DMGs Are Malicious (and the Source Archives Are Not)

The DMG-level tampering produces two primary malicious effects: (a) anti-analysis (standard Apple tools and sandboxes cannot open the image) and (b) a silent install/parse beacon that pings attacker infrastructure. Neither of these is a side effect of electron-builder defaults; both must be intentionally introduced after the initial build process.

Application capability: Legitimate-by-design, but RAT-grade

The Electron app shipped inside the DMG is built from public source code. However, its specific entitlements and modules grant the operator everything an attacker needs once the user is convinced to install the app and grant the following permissions:

• com.apple.security.accessibility + native universal_key_monitor.node, typing_monitor.node, fn_key_monitor.node (CGEventTap) — system-wide keystroke capture.

• audio_capture.node (AVCaptureSession) — continuous mic capture.

• com.apple.security.automation.apple-events and heavy AppleScript usage (tell application "System Events"…) — full automation of other apps.

• com.apple.security.cs.disable-library-validation, allow-dyld-environment-variables, allow-jit, allow-unsigned-executable-memory, cs.debugger, app-sandbox=false — a wide-open hardened-runtime profile.

• LLM-callable shell tool whose allow-list includes curl, wget, osascript, open, python, pip, brew, node, npm, git, tar, zip, unzip, say, system_profiler, sw_vers, … — i.e. download-and-execute is one prompt away.

• app.setLoginItemSettings({openAtLogin:true}) — persistence.

• Custom URL handler jarvis://.

These capabilities are present in the upstream project as well; however, the trojanized DMG is specifically designed to ensure the user actually installs the software and trusts it with these expansive permissions.

By leveraging the legitimate functionality of the AI assistant, the attacker gains a “RAT-grade” (Remote Access Trojan) foothold on the system without needing to write custom exploit code. The software’s native requirements for voice control and automation provide the perfect cover for persistent monitoring and data exfiltration.

IOC’s

• Ad Domain: serverji[.]com

• Landing Page: serverji[.]com

• Fake Repository Infrastructure: un5q021ctkzm0[.]serverji[.]com

The actor distributed multiple architecture-specific malicious binaries:

Apple Silicon (Variant 1):

All malicious DMG files masquerade as version 1.1.11 of the Jarvis AI Assistant. The presence of two distinct Apple Silicon variants suggests the actor may be A/B testing payloads or rotating binaries to evade hash-based detection.

• File Name: Jarvis.-.AI.Assistant-1.1.11-Apple_Silicon.dmg

• SHA-256: 262b620127e23f44ea11e9bf6477ce947dc1851f9a4dbe864faf23a786195a6f

• VirusTotal: Analysis Link

Apple Silicon (Variant 2):

• File Name: Jarvis.-.AI.Assistant-1.1.11-Apple_Silicon.dmg

• SHA-256: 83014d51559aa623a56a32caaf6bc1c9b0d6947bf5450c8fea1dbfa889b03f73

• VirusTotal: Analysis Link

• Note: Similar structure to Variant 1, potentially repackaged

Intel:

• File Name: Jarvis.-.AI.Assistant-1.1.11-Intel.dmg

• SHA-256: 1b514a311ef596e8ca015c04479171ab6818d2f7ac60ba51b6886e86b197ab18

• VirusTotal: Not indexed (as of May 28, 2026)

Conclusion

The sophistication of this campaign lies in its multi-layered approach to deception, effectively weaponizing trust at every stage of the user journey.

The campaign first exploits invisible Unicode characters (ZWSP) to bypass ad moderation and reach potential victims. It then cements this deception by deploying a dynamically mirrored GitHub repository, creating a facade of legitimacy that is nearly indistinguishable from the real project. The evasion is taken further by the delivery of a malicious DMG package featuring a non-standard UDIF wrapper designed to break automated triage and an XML DTD pointer that beacons to attacker infrastructure upon parsing.

Ultimately, the attack succeeds by exploiting the “legitimate-by-design” capabilities of the software. Because the AI assistant requires extensive system permissions to function, the attacker does not need to rely on traditional exploits. Instead, they use the tampered DMG container to bypass security red flags, ensuring that once the user grants the requested access, the operator gains immediate, RAT-grade control over the host environment.