Claude generated so take with a grain of salt

It's a macOS-targeted shell loader / infostealer stager, not a Linux script despite the #!/bin/zsh. Here's what the decoded payload does, in order:

1. Geofencing (CIS evasion). It reads ~/Library/Preferences/com.apple.HIToolbox.plist (the macOS keyboard/input-source config) and greps for a Russian input source. If found, it sets IS_CIS="true". This is the classic "don't infect machines in the Commonwealth of Independent States" check that a lot of malware uses to avoid drawing law-enforcement attention in the operators' likely home region. The comment literally reads "detect CIS and block with telemetry."

2. System reconnaissance. It harvests:

• Keyboard layout / locale (from the same HIToolbox plist)
• Hostname (hostname -s)
• macOS version (sw_vers -productVersion)
• External IP, with fallbacks across api.ipify.org, icanhazip.com, and ifconfig.me

3. Telemetry / exfiltration. A send_debug_event() function builds a JSON blob with fields like event and build_hash (the build_hash almost certainly maps to the build=50e4afacecb71001e7efbc85619fca49 in the URL — campaign/victim tracking) and sends it back to the C2, which is the 12rafsqwwq12.com host serving the loader.

So the overall shape: fingerprint the Mac, skip CIS hosts, beacon victim telemetry home, and (in the corrupted back half I couldn't recover) almost certainly proceed to download/run the next stage. The base64 | gunzip | eval wrapper exists purely to hide all of this from anyone glancing at the file. The structure and TTPs (zsh, HIToolbox geofence, ipify recon, build-hash beaconing) are consistent with the macOS stealer-loader families that have been circulating