North Korean Threat Actor Sapphire Sleet Targets macOS Users in Sophisticated Social Engineering Campaign
A newly uncovered cyber campaign by Sapphire Sleet, a North Korean state-backed threat group active since at least March 2020, is targeting macOS users particularly those in cryptocurrency, venture capital, and blockchain sectors through a social engineering-driven attack chain that bypasses traditional software vulnerabilities.
The campaign, first detected in early 2026, leverages deceptive recruitment lures to trick victims into executing malicious files. Attackers pose as job recruiters on social media or professional platforms, directing targets to download a file disguised as a Zoom SDK or Microsoft Teams update. Once opened, the file typically a compiled AppleScript launches in macOS Script Editor, initiating a multi-stage infection process without raising suspicion.
How the Attack Unfolds
- Initial Compromise: Victims are convinced to run a script (e.g., Zoom SDK Update.scpt or msteams sdk update.scpt), which silently fetches additional malicious payloads.
- Credential Harvesting: A fake application (systemupdate.app) displays a native-looking macOS password prompt, tricking users into entering their credentials. If verified, the password is exfiltrated via Telegram.
- Data Theft & Persistence: A second decoy app (softwareupdate.app) mimics a completed update while the malware steals cryptocurrency wallets, browser passwords, SSH keys, Telegram sessions, and browsing history. Stolen data is compressed and sent to attacker-controlled servers over port 8443.
- Backdoor Installation: The malware deploys multiple persistent backdoors, including:
- com.apple.cli: A host monitoring tool communicating over port 6783.
- icloudz: A memory-resident backdoor loaded via ~/Library/Application Support/iCloud/icloudz, evading disk-based detection.
- A launch daemon (com.google.webkit.service.plist) ensuring the backdoor restarts after reboots.
Evolving Tactics
In June 2026, Sapphire Sleet introduced a Microsoft Teams-themed variant, using updated payload names (e.g., com.microsoft.helper, .google.docs) while maintaining the same attack chain. The group’s infrastructure includes multiple C2 servers (e.g., 83.136.208[.]246, 188.227.196[.]252) and domains (e.g., uw04webzoom[.]us, check02id[.]com).
Defensive Measures & Indicators of Compromise (IoCs)
Microsoft’s report, shared with Cyber Security News (CSN), prompted Apple to deploy countermeasures, including XProtect signature updates and Safari Safe Browsing blocks. Key IoCs include:
- IPs: 83.136.208[.]246, 188.227.196[.]252, 104.145.210[.]107
- Domains: uw04webzoom[.]us, check02id[.]com
- Files: Zoom SDK Update.scpt, systemupdate.app, com.apple.cli, icloudz
- Persistence Paths: /Library/LaunchDaemons/com.google.webkit.service.plist, ~/Library/LaunchAgents/com.apple.identification.plist
The campaign underscores Sapphire Sleet’s focus on high-value financial targets, combining social engineering with macOS-specific evasion techniques to steal credentials and maintain long-term access.
Source: https://cybersecuritynews.com/hackers-use-fake-software-update-prompts/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "mic1781713463",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Cryptocurrency',
'Venture Capital',
'Blockchain'],
'type': 'Individuals, Organizations'}],
'attack_vector': 'Social Engineering (Fake Job Recruitment), Malicious '
'AppleScript Execution',
'data_breach': {'data_exfiltration': 'Yes (via Telegram and '
'attacker-controlled servers on port '
'8443)',
'personally_identifiable_information': 'Yes (credentials, '
'browsing history)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Cryptocurrency wallets',
'Browser data',
'SSH keys',
'Telegram sessions',
'Browsing history']},
'date_detected': '2026-01-01',
'date_publicly_disclosed': '2026-06-01',
'description': 'A newly uncovered cyber campaign by Sapphire Sleet, a North '
'Korean state-backed threat group active since at least March '
'2020, is targeting macOS users, particularly those in '
'cryptocurrency, venture capital, and blockchain sectors, '
'through a social engineering-driven attack chain that '
'bypasses traditional software vulnerabilities. The campaign '
'leverages deceptive recruitment lures to trick victims into '
'executing malicious files, leading to credential harvesting, '
'data theft, and backdoor installation.',
'impact': {'data_compromised': 'Cryptocurrency wallets, browser passwords, '
'SSH keys, Telegram sessions, browsing history',
'identity_theft_risk': 'High (PII and credentials stolen)',
'operational_impact': 'Persistent backdoor access, unauthorized '
'data exfiltration',
'payment_information_risk': 'High (cryptocurrency wallets '
'targeted)',
'systems_affected': 'macOS systems'},
'initial_access_broker': {'backdoors_established': 'Yes (com.apple.cli, '
'icloudz, launch daemon)',
'entry_point': 'Social media/professional platforms '
'(fake job recruitment)',
'high_value_targets': 'Cryptocurrency, venture '
'capital, and blockchain '
'sectors'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Social engineering remains a highly effective attack '
'vector, especially when combined with macOS-specific '
'evasion techniques. High-value targets in financial '
'sectors are at increased risk from state-backed threat '
'actors.',
'motivation': 'Financial Gain, Data Theft, Espionage',
'post_incident_analysis': {'corrective_actions': 'Enhanced user training, '
"deployment of Apple's "
'XProtect updates, blocking '
'known malicious '
'IPs/domains, improved '
'endpoint detection for '
'macOS.',
'root_causes': 'Lack of user awareness of social '
'engineering tactics, execution of '
'untrusted AppleScript files, '
'insufficient monitoring for '
'macOS-specific threats.'},
'recommendations': ['Educate employees on recognizing social engineering '
'tactics, especially fake job recruitment lures.',
'Implement multi-factor authentication (MFA) for all '
'critical accounts.',
'Monitor for unusual network traffic, particularly on '
'ports 6783 and 8443.',
'Regularly update macOS and security tools like XProtect.',
'Restrict execution of AppleScript files from untrusted '
'sources.',
'Deploy endpoint detection and response (EDR) solutions '
'to detect memory-resident malware.'],
'references': [{'source': 'Microsoft'},
{'source': 'Cyber Security News (CSN)'}],
'response': {'containment_measures': 'XProtect signature updates, Safari Safe '
'Browsing blocks',
'remediation_measures': 'Deployment of countermeasures by Apple, '
'removal of malicious files',
'third_party_assistance': 'Microsoft, Apple'},
'threat_actor': 'Sapphire Sleet (North Korean state-backed)',
'title': 'North Korean Threat Actor Sapphire Sleet Targets macOS Users in '
'Sophisticated Social Engineering Campaign',
'type': 'Social Engineering, Malware, Credential Theft, Data Exfiltration'}