Fake macOS Updates Steal Passwords & Crypto Hackers Software

A new and dangerous cyber campaign is actively targeting macOS users, posing a significant risk to their data. This threat is particularly insidious because it doesn’t exploit software vulnerabilities; instead, it relies on sophisticated social engineering tactics. For a detailed analysis of these methods, refer to the full report Instead, the attackers trick people into handing over their own passwords and sensitive data by making everything look completely normal.

What appears to be a routine software update turns out to be a carefully crafted trap, and by the time a victim realizes something is wrong, the damage may already be done.

The group behind this activity is known as Sapphire Sleet, a North Korean state-backed threat actor active since at least March 2020. Their targets are not random.

They focus almost entirely on people involved in cryptocurrency, venture capital, and blockchain-related businesses. The core goal is to steal digital assets and financial information from high-value individuals and organizations around the world.

Analysts at Microsoft said in a report shared with Cyber Security News (CSN) that the campaign began in early 2026 and introduces macOS-specific attack techniques not previously seen from this actor.

According to the report, the attack works entirely through social engineering, meaning the hackers convince users to run malicious files themselves rather than exploiting any flaw in the operating system.

The attack begins when a target is contacted on social media or professional platforms by someone posing as a job recruiter.

After some back-and-forth, the target is directed to download a file disguised as a Zoom SDK update. Once opened, the file launches in macOS Script Editor, a legitimate Apple tool, and quietly begins pulling additional malicious code in the background.

The user sees nothing suspicious, only what looks like an ordinary software installation. Microsoft shared its findings with Apple as part of a responsible disclosure process.

Apple has since rolled out platform-level protections, including XProtect signature updates and Safari Safe Browsing blocks, to detect and stop infrastructure tied to this campaign. macOS users are strongly encouraged to keep their devices fully updated to benefit from these protections.

Hackers Use Fake Software Update Prompts

Once the malicious script runs on a victim’s machine, it silently deploys a fake application called systemupdate.app. This app presents the user with a native-looking macOS password dialog that is visually indistinguishable from a real system prompt.

The user is told their password is required to finish the software update, and most people simply type it in without a second thought.

After the password is entered, the malware verifies it against the local macOS authentication database. If the credential checks out, it is immediately forwarded to the attackers via the Telegram messaging service.

A second fake app, softwareupdate.app, then shows a convincing update-complete dialog to prevent the victim from growing suspicious. Meanwhile, the malware collects cryptocurrency wallet files, saved browser passwords, Telegram session data, SSH keys, Apple Notes, and browsing history.

Persistent Backdoors and Large-Scale Exfiltration

Beyond stealing credentials, Sapphire Sleet installs multiple backdoors to maintain long-term access. A component named com.apple.cli acts as a host monitoring tool that continuously checks in with the attackers’ servers.

A more advanced backdoor named icloudz loads code directly into memory, leaving little trace on disk and making it considerably harder for security tools to catch.

The malware installs a launch daemon that automatically restarts the backdoor after every system reboot. All stolen data is compressed into archives and uploaded to attacker-controlled servers over port 8443, while credentials are sent separately via the Telegram Bot API.

In June 2026, Microsoft noted that Sapphire Sleet had introduced a Microsoft Teams-themed lure with updated payload names, carrying on the same attack chain under fresh disguises.

Microsoft advises users to never run scripts or terminal commands shared through chat messages without approval from a trusted IT team.

Organizations should block compiled AppleScript files downloaded from the internet and monitor for unauthorized changes to the macOS TCC database.

Anyone managing cryptocurrency assets should rely on hardware wallets and regularly rotate credentials stored in browsers.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.