Sapphire Sleet Targets macOS
A multi-stage macOS intrusion campaign by the North Korean state-sponsored group Sapphire Sleet targets high-value financial sectors such as venture capital, Web3 developers, and cryptocurrency organizations. The campaign uses signed, built-in macOS applications like Apple Script Editor and Finder to bypass traditional security controls, suppress alerts, and execute arbitrary code disguised as legitimate user updates. Initial access is achieved through targeted social engineering, tricking victims into running a fake Zoom SDK update, which leads to further payload delivery. No official patch or remediation guidance is provided in the source data.
AI Analysis
Technical Summary
The Sapphire Sleet campaign is a targeted intrusion operation against macOS environments in financial sectors. It leverages legitimate signed system applications to evade macOS security mechanisms and suppress system alerts, enabling execution of arbitrary code under the guise of authentic user updates. Initial infection vectors rely on social engineering, specifically convincing users to execute a malicious fake Zoom SDK update component. This campaign aligns with known macOS intrusion tradecraft and is attributed to the North Korean group Sapphire Sleet (BlueNoroff / UNC1069). Indicators include multiple IP addresses, domains, and file hashes associated with the campaign.
Potential Impact
The campaign enables attackers to execute arbitrary code on targeted macOS systems, potentially leading to unauthorized access and control over high-value financial sector environments. By operating outside traditional macOS security enforcement and suppressing alerts, the malware increases the risk of stealthy compromise. The impact is medium severity given the targeted nature and the sectors affected, but no known exploits in the wild or patch information are available.
Mitigation Recommendations
No official patch or remediation guidance is provided. Since the campaign relies on social engineering to trick users into executing malicious updates, organizations should educate users to verify update sources and avoid executing unsolicited update prompts. Monitoring for the provided indicators of compromise (IPs, domains, hashes) can assist in detection. Follow vendor advisories and security community updates for any emerging mitigations or patches.
Indicators of Compromise
- ip: 83.136.209.22
- domain: uw04webzoom.us
- domain: ur01webzoom.us
- domain: uv01webzoom.us
- hash: 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53
- hash: 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419
- hash: 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5
- hash: 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7
- hash: 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c
- hash: 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63
- hash: a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640
- ip: 104.145.210.107
- ip: 83.136.208.246
- ip: 83.136.208.48
- ip: 83.136.210.180
- domain: check02id.com
- domain: uv03webzoom.us
- domain: uv04webzoom.us
- domain: uw03webzoom.us
- domain: uw05webzoom.us
- domain: ux06webzoom.us
Sapphire Sleet Targets macOS
Description
A multi-stage macOS intrusion campaign by the North Korean state-sponsored group Sapphire Sleet targets high-value financial sectors such as venture capital, Web3 developers, and cryptocurrency organizations. The campaign uses signed, built-in macOS applications like Apple Script Editor and Finder to bypass traditional security controls, suppress alerts, and execute arbitrary code disguised as legitimate user updates. Initial access is achieved through targeted social engineering, tricking victims into running a fake Zoom SDK update, which leads to further payload delivery. No official patch or remediation guidance is provided in the source data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Sapphire Sleet campaign is a targeted intrusion operation against macOS environments in financial sectors. It leverages legitimate signed system applications to evade macOS security mechanisms and suppress system alerts, enabling execution of arbitrary code under the guise of authentic user updates. Initial infection vectors rely on social engineering, specifically convincing users to execute a malicious fake Zoom SDK update component. This campaign aligns with known macOS intrusion tradecraft and is attributed to the North Korean group Sapphire Sleet (BlueNoroff / UNC1069). Indicators include multiple IP addresses, domains, and file hashes associated with the campaign.
Potential Impact
The campaign enables attackers to execute arbitrary code on targeted macOS systems, potentially leading to unauthorized access and control over high-value financial sector environments. By operating outside traditional macOS security enforcement and suppressing alerts, the malware increases the risk of stealthy compromise. The impact is medium severity given the targeted nature and the sectors affected, but no known exploits in the wild or patch information are available.
Mitigation Recommendations
No official patch or remediation guidance is provided. Since the campaign relies on social engineering to trick users into executing malicious updates, organizations should educate users to verify update sources and avoid executing unsolicited update prompts. Monitoring for the provided indicators of compromise (IPs, domains, hashes) can assist in detection. Follow vendor advisories and security community updates for any emerging mitigations or patches.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"]
- Adversary
- null
- Pulse Id
- 6a19675cc4b620f11791ba1b
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip83.136.209.22 | — | |
ip104.145.210.107 | — | |
ip83.136.208.246 | — | |
ip83.136.208.48 | — | |
ip83.136.210.180 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainuw04webzoom.us | — | |
domainur01webzoom.us | — | |
domainuv01webzoom.us | — | |
domaincheck02id.com | — | |
domainuv03webzoom.us | — | |
domainuv04webzoom.us | — | |
domainuw03webzoom.us | — | |
domainuw05webzoom.us | — | |
domainux06webzoom.us | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 | — | |
hash2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419 | — | |
hash5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5 | — | |
hash5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 | — | |
hash8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c | — | |
hash95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63 | — | |
hasha05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640 | — |
Threat ID: 6a19680fe29bf47b50d80f78
Added to database: 5/29/2026, 10:18:55 AM
Last enriched: 5/29/2026, 10:33:28 AM
Last updated: 5/29/2026, 7:00:51 PM
Views: 49
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.