Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
July 9, 2026
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
July 9, 2026
RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
July 9, 2026
Home/Threats/Fake Zoom SDK Update Delivers Sapphire Sleet Malware to macOS
Threats

Fake Zoom SDK Update Delivers Sapphire Sleet Malware to macOS

Key Takeaways The North Korean state-sponsored group Sapphire Sleet is deploying new macOS malware through a deceptive Zoom SDK update lure. The attack leverages social engineering, tricking users...

Sarah simpson
Sarah simpson
April 17, 2026 4 Min Read
54 0

Key Takeaways

  • The North Korean state-sponsored group Sapphire Sleet is deploying new macOS malware through a deceptive Zoom SDK update lure.
  • The attack leverages social engineering, tricking users into executing a malicious AppleScript disguised as a legitimate update.
  • The malware bypasses macOS Gatekeeper and Transparency, Consent, and Control (TCC) by exploiting user-initiated execution.
  • It steals sensitive data including passwords, cryptocurrency wallet keys, Telegram session data, browser credentials, and SSH keys.
  • Apple has released XProtect signature updates and Safari Safe Browsing protections to mitigate aspects of this campaign.

North Korean threat actors, identified as Sapphire Sleet, have launched a sophisticated new campaign targeting macOS users. This operation employs a convincing social engineering tactic: a fake Zoom SDK update that, once executed, deploys malware designed to pilfer passwords, cryptocurrency assets, and other sensitive personal information. Microsoft Threat Intelligence analysts provided a detailed analysis of this new macOS intrusion chain.

Table Of Content

  • Key Takeaways
  • Inside the Infection Chain
  • What You Should Do

Unlike many cyberattacks that exploit software vulnerabilities, this particular campaign relies heavily on human manipulation. Sapphire Sleet orchestrates a deceptive scenario, initially posing as a job recruiter on professional networking platforms. Through sustained engagement and the scheduling of a fabricated technical interview, the attackers build trust with the victim.

The pivotal moment in the attack occurs when the victim is instructed to download and open a file named “Zoom SDK Update.scpt.” This file is a compiled AppleScript, designed to open within macOS’s native Script Editor application. Because Script Editor is a trusted, Apple-developed application, macOS does not flag it as suspicious. The user sees what appears to be routine update instructions, while thousands of blank lines conceal malicious code poised for execution below the visible content.

Microsoft Threat Intelligence analysts observed that the specific combination of execution patterns, particularly the use of AppleScript as a dedicated component for credential harvesting, represents a novel approach for Sapphire Sleet. Following their discovery, Microsoft responsibly disclosed its findings to Apple. In response, Apple has since rolled out XProtect signature updates and enhanced Safe Browsing protections within Safari to detect and block infrastructure associated with this campaign.

Sapphire Sleet’s primary targets include individuals and organizations operating in the cryptocurrency, finance, venture capital, and blockchain sectors. The malware, once active, proceeds to harvest the victim’s login password, exfiltrate Telegram session data, collect browser credentials, extract crypto wallet keys from applications such as Ledger Live and Exodus, retrieve SSH keys, and compromise macOS keychain databases. All stolen data is then compressed and uploaded discreetly to attacker-controlled servers over port 8443.

Crucially, the malware circumvents macOS security mechanisms like Gatekeeper and Transparency, Consent, and Control (TCC). By persuading the user to manually initiate the execution of the malicious file, Sapphire Sleet shifts the operation into a user-initiated context, rendering these built-in protections largely ineffective. This highlights the critical role of user vigilance and behavioral awareness in defending against such attacks.

Inside the Infection Chain

Once the victim opens the initial lure file, the attack unfolds rapidly through a series of commands. The AppleScript initiates by invoking the legitimate macOS “softwareupdate” binary with an invalid parameter, creating the appearance of a genuine system process. It then uses “curl” to retrieve a remote AppleScript payload, which is directly fed to the “osascript” interpreter. This multi-stage process repeats across five distinct phases, each tracked by unique user-agent strings (mac-cur1 through mac-cur5), enabling Sapphire Sleet to manage payload delivery and monitor the progress of the campaign.

The mac-cur1 stage serves as the primary orchestrator. It gathers system details, registers the compromised machine with Sapphire Sleet’s command-and-control infrastructure, and deploys a host monitoring binary named “com.apple.cli.” Simultaneously, a backdoor dubbed “services” installs a launch daemon named “com.google.webkit.service.plist.” This name is deliberately chosen to mimic legitimate Apple and Google services, ensuring persistence across reboots without attracting undue attention.

The mac-cur2 stage is responsible for delivering the credential harvester, “systemupdate.app.” This application displays a native password dialog that is visually identical to a legitimate macOS system prompt. When the user enters their password, the malware validates it against the local authentication database and immediately transmits it to Sapphire Sleet via the Telegram Bot API. To further allay suspicion, a second fake application, “softwareupdate.app,” then displays a “system update complete” message.

To access protected data, the mac-cur3 stage cleverly manipulates the TCC database. It directs Finder to temporarily rename the TCC folder, allowing the malware to inject permissions that grant osascript access to sensitive files without triggering a consent prompt. Subsequently, a 575-line exfiltration script collects nine distinct categories of data and uploads them to the attacker’s servers.

What You Should Do

  • Be highly suspicious of any unsolicited requests to run terminal commands or open script files during online interviews or professional interactions.
  • Block compiled AppleScript (.scpt) files at the network perimeter or endpoint where possible.
  • Regularly audit LaunchDaemon plist files for any unexpected or suspicious entries that could indicate persistence mechanisms.
  • Monitor the TCC database for unauthorized changes or new permissions granted to unfamiliar applications or scripts.
  • Keep your macOS operating system fully updated to ensure Apple’s latest XProtect signatures and Safari Safe Browsing protections are active and capable of blocking known components of this campaign.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Beware Fake Ledger Wallets on Chinese Marketplaces Stealing Crypto Seeds and PINs

Next Post

Worm Spreads via Email to Compromise Industrial Control Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
July 9, 2026
Critical Linux Kernel Flaw Allows Root Access via DRM Render Nodes
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us