Fake Zoom SDK Update Delivers Sapphire Sleet Malware to macOS
Key Takeaways The North Korean state-sponsored group Sapphire Sleet is deploying new macOS malware through a deceptive Zoom SDK update lure. The attack leverages social engineering, tricking users...
Key Takeaways
- The North Korean state-sponsored group Sapphire Sleet is deploying new macOS malware through a deceptive Zoom SDK update lure.
- The attack leverages social engineering, tricking users into executing a malicious AppleScript disguised as a legitimate update.
- The malware bypasses macOS Gatekeeper and Transparency, Consent, and Control (TCC) by exploiting user-initiated execution.
- It steals sensitive data including passwords, cryptocurrency wallet keys, Telegram session data, browser credentials, and SSH keys.
- Apple has released XProtect signature updates and Safari Safe Browsing protections to mitigate aspects of this campaign.
North Korean threat actors, identified as Sapphire Sleet, have launched a sophisticated new campaign targeting macOS users. This operation employs a convincing social engineering tactic: a fake Zoom SDK update that, once executed, deploys malware designed to pilfer passwords, cryptocurrency assets, and other sensitive personal information. Microsoft Threat Intelligence analysts provided a detailed analysis of this new macOS intrusion chain.
Table Of Content
Unlike many cyberattacks that exploit software vulnerabilities, this particular campaign relies heavily on human manipulation. Sapphire Sleet orchestrates a deceptive scenario, initially posing as a job recruiter on professional networking platforms. Through sustained engagement and the scheduling of a fabricated technical interview, the attackers build trust with the victim.
The pivotal moment in the attack occurs when the victim is instructed to download and open a file named “Zoom SDK Update.scpt.” This file is a compiled AppleScript, designed to open within macOS’s native Script Editor application. Because Script Editor is a trusted, Apple-developed application, macOS does not flag it as suspicious. The user sees what appears to be routine update instructions, while thousands of blank lines conceal malicious code poised for execution below the visible content.
Microsoft Threat Intelligence analysts observed that the specific combination of execution patterns, particularly the use of AppleScript as a dedicated component for credential harvesting, represents a novel approach for Sapphire Sleet. Following their discovery, Microsoft responsibly disclosed its findings to Apple. In response, Apple has since rolled out XProtect signature updates and enhanced Safe Browsing protections within Safari to detect and block infrastructure associated with this campaign.
Sapphire Sleet’s primary targets include individuals and organizations operating in the cryptocurrency, finance, venture capital, and blockchain sectors. The malware, once active, proceeds to harvest the victim’s login password, exfiltrate Telegram session data, collect browser credentials, extract crypto wallet keys from applications such as Ledger Live and Exodus, retrieve SSH keys, and compromise macOS keychain databases. All stolen data is then compressed and uploaded discreetly to attacker-controlled servers over port 8443.
Crucially, the malware circumvents macOS security mechanisms like Gatekeeper and Transparency, Consent, and Control (TCC). By persuading the user to manually initiate the execution of the malicious file, Sapphire Sleet shifts the operation into a user-initiated context, rendering these built-in protections largely ineffective. This highlights the critical role of user vigilance and behavioral awareness in defending against such attacks.
Inside the Infection Chain
Once the victim opens the initial lure file, the attack unfolds rapidly through a series of commands. The AppleScript initiates by invoking the legitimate macOS “softwareupdate” binary with an invalid parameter, creating the appearance of a genuine system process. It then uses “curl” to retrieve a remote AppleScript payload, which is directly fed to the “osascript” interpreter. This multi-stage process repeats across five distinct phases, each tracked by unique user-agent strings (mac-cur1 through mac-cur5), enabling Sapphire Sleet to manage payload delivery and monitor the progress of the campaign.
The mac-cur1 stage serves as the primary orchestrator. It gathers system details, registers the compromised machine with Sapphire Sleet’s command-and-control infrastructure, and deploys a host monitoring binary named “com.apple.cli.” Simultaneously, a backdoor dubbed “services” installs a launch daemon named “com.google.webkit.service.plist.” This name is deliberately chosen to mimic legitimate Apple and Google services, ensuring persistence across reboots without attracting undue attention.
The mac-cur2 stage is responsible for delivering the credential harvester, “systemupdate.app.” This application displays a native password dialog that is visually identical to a legitimate macOS system prompt. When the user enters their password, the malware validates it against the local authentication database and immediately transmits it to Sapphire Sleet via the Telegram Bot API. To further allay suspicion, a second fake application, “softwareupdate.app,” then displays a “system update complete” message.
To access protected data, the mac-cur3 stage cleverly manipulates the TCC database. It directs Finder to temporarily rename the TCC folder, allowing the malware to inject permissions that grant osascript access to sensitive files without triggering a consent prompt. Subsequently, a 575-line exfiltration script collects nine distinct categories of data and uploads them to the attacker’s servers.
What You Should Do
- Be highly suspicious of any unsolicited requests to run terminal commands or open script files during online interviews or professional interactions.
- Block compiled AppleScript (.scpt) files at the network perimeter or endpoint where possible.
- Regularly audit LaunchDaemon plist files for any unexpected or suspicious entries that could indicate persistence mechanisms.
- Monitor the TCC database for unauthorized changes or new permissions granted to unfamiliar applications or scripts.
- Keep your macOS operating system fully updated to ensure Apple’s latest XProtect signatures and Safari Safe Browsing protections are active and capable of blocking known components of this campaign.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.