Dissecting macOS intrusion from lure to compromise
Microsoft Threat Intelligence uncovered a macOS-focused cyber campaign by North Korean threat actor Sapphire Sleet utilizing social engineering to compromise systems. The attack chain begins with a malicious AppleScript file disguised as a Zoom SDK update, which executes cascading payloads through curl-to-osascript chains. The campaign deploys multiple backdoors including com.apple.cli, services, icloudz, and com.google.chromes.updaters for persistence and command execution. Credential harvesting occurs through fake system dialogs that mimic legitimate macOS password prompts. The threat actor bypasses Transparency, Consent, and Control protections by directly manipulating the TCC database, enabling extensive data exfiltration targeting cryptocurrency wallets, browser credentials, Telegram sessions, SSH keys, and Apple Notes. Operations focus on cryptocurrency, finance, and blockchain organizations with the primary objective of stealing digital assets.
AI Analysis
Technical Summary
This threat involves a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet. The attack chain begins with a socially engineered lure: a malicious AppleScript file masquerading as a Zoom SDK update. This script triggers a cascade of payloads using curl-to-osascript execution chains. The attackers deploy multiple backdoors named com.apple.cli, services, icloudz, and com.google.chromes.updaters to maintain persistence and execute commands. Credential harvesting is performed through fake system dialogs mimicking legitimate macOS password prompts. The threat actor bypasses Transparency, Consent, and Control (TCC) protections by directly manipulating the TCC database, allowing broad data exfiltration. Stolen data includes cryptocurrency wallets, browser credentials, Telegram session data, SSH keys, and Apple Notes. The campaign primarily targets organizations in cryptocurrency, finance, and blockchain industries with the goal of stealing digital assets.
Potential Impact
The campaign enables attackers to gain persistent backdoor access on macOS systems, harvest sensitive credentials, and bypass macOS security protections to exfiltrate valuable data. The primary impact is theft of digital assets including cryptocurrency wallets and credentials for various services. The manipulation of the TCC database undermines macOS's built-in privacy controls, increasing the risk of extensive data compromise. This poses a significant threat to targeted organizations in finance and blockchain sectors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the attack relies on social engineering and malicious AppleScript execution, organizations should educate users to avoid installing unverified software updates, especially those masquerading as legitimate Zoom SDK updates. Monitoring for the presence of known backdoor components and indicators of compromise such as the listed IP addresses, domains, and file hashes can aid detection. Because the threat bypasses TCC protections by database manipulation, verifying the integrity of TCC settings and restricting unauthorized modifications may help. Follow updates from Apple and Microsoft Threat Intelligence for any official fixes or detection tools.
Indicators of Compromise
- ip: 83.136.209.22
- domain: uw04webzoom.us
- domain: ur01webzoom.us
- domain: uv01webzoom.us
- ip: 188.227.196.252
- hash: 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53
- hash: 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419
- hash: 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5
- hash: 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7
- hash: 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c
- hash: 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63
- hash: a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640
- ip: 104.145.210.107
- ip: 83.136.208.246
- ip: 83.136.208.48
- ip: 83.136.210.180
- domain: check02id.com
- domain: uv03webzoom.us
- domain: uv04webzoom.us
- domain: uw03webzoom.us
- domain: uw05webzoom.us
- domain: ux06webzoom.us
Dissecting macOS intrusion from lure to compromise
Description
Microsoft Threat Intelligence uncovered a macOS-focused cyber campaign by North Korean threat actor Sapphire Sleet utilizing social engineering to compromise systems. The attack chain begins with a malicious AppleScript file disguised as a Zoom SDK update, which executes cascading payloads through curl-to-osascript chains. The campaign deploys multiple backdoors including com.apple.cli, services, icloudz, and com.google.chromes.updaters for persistence and command execution. Credential harvesting occurs through fake system dialogs that mimic legitimate macOS password prompts. The threat actor bypasses Transparency, Consent, and Control protections by directly manipulating the TCC database, enabling extensive data exfiltration targeting cryptocurrency wallets, browser credentials, Telegram sessions, SSH keys, and Apple Notes. Operations focus on cryptocurrency, finance, and blockchain organizations with the primary objective of stealing digital assets.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet. The attack chain begins with a socially engineered lure: a malicious AppleScript file masquerading as a Zoom SDK update. This script triggers a cascade of payloads using curl-to-osascript execution chains. The attackers deploy multiple backdoors named com.apple.cli, services, icloudz, and com.google.chromes.updaters to maintain persistence and execute commands. Credential harvesting is performed through fake system dialogs mimicking legitimate macOS password prompts. The threat actor bypasses Transparency, Consent, and Control (TCC) protections by directly manipulating the TCC database, allowing broad data exfiltration. Stolen data includes cryptocurrency wallets, browser credentials, Telegram session data, SSH keys, and Apple Notes. The campaign primarily targets organizations in cryptocurrency, finance, and blockchain industries with the goal of stealing digital assets.
Potential Impact
The campaign enables attackers to gain persistent backdoor access on macOS systems, harvest sensitive credentials, and bypass macOS security protections to exfiltrate valuable data. The primary impact is theft of digital assets including cryptocurrency wallets and credentials for various services. The manipulation of the TCC database undermines macOS's built-in privacy controls, increasing the risk of extensive data compromise. This poses a significant threat to targeted organizations in finance and blockchain sectors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the attack relies on social engineering and malicious AppleScript execution, organizations should educate users to avoid installing unverified software updates, especially those masquerading as legitimate Zoom SDK updates. Monitoring for the presence of known backdoor components and indicators of compromise such as the listed IP addresses, domains, and file hashes can aid detection. Because the threat bypasses TCC protections by database manipulation, verifying the integrity of TCC settings and restricting unauthorized modifications may help. Follow updates from Apple and Microsoft Threat Intelligence for any official fixes or detection tools.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/"]
- Adversary
- STARDUST CHOLLIMA
- Pulse Id
- 69e1f157d8f8bb7547f8c23f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip83.136.209.22 | — | |
ip188.227.196.252 | — | |
ip104.145.210.107 | — | |
ip83.136.208.246 | — | |
ip83.136.208.48 | — | |
ip83.136.210.180 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainuw04webzoom.us | — | |
domainur01webzoom.us | — | |
domainuv01webzoom.us | — | |
domaincheck02id.com | — | |
domainuv03webzoom.us | — | |
domainuv04webzoom.us | — | |
domainuw03webzoom.us | — | |
domainuw05webzoom.us | — | |
domainux06webzoom.us | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 | — | |
hash2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419 | — | |
hash5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5 | — | |
hash5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 | — | |
hash8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c | — | |
hash95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63 | — | |
hasha05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640 | — |
Threat ID: 69e20c1982d89c981fc722f4
Added to database: 4/17/2026, 10:31:53 AM
Last enriched: 4/17/2026, 10:46:59 AM
Last updated: 4/17/2026, 7:07:40 PM
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.