In a recent wave of cyber attacks, macOS users are being targeted by a sophisticated scheme that bypasses traditional software vulnerabilities. Instead of exploiting system flaws, hackers are employing deceptive tactics that manipulate unsuspecting users into compromising their own security.
Deceptive Tactics and Targets
The malicious campaign is orchestrated by Sapphire Sleet, a North Korean state-sponsored group active since March 2020. Their primary targets include individuals and organizations involved in cryptocurrency, venture capital, and the blockchain sector. The attackers’ main objective is to seize digital assets and sensitive financial details from high-value targets globally.
According to a report by Microsoft shared with Cyber Security News, this campaign began in early 2026, introducing new macOS-specific attack strategies not previously associated with this group. The attack relies on social engineering techniques, convincing users to execute harmful files themselves.
Execution of the Attack
The attack typically starts with victims being approached on social or professional media by individuals posing as recruiters. After building rapport, the victim is instructed to download a file masquerading as a Zoom SDK update. This file, once opened, deploys through macOS Script Editor, executing additional malicious codes unnoticed by the user.
Microsoft disclosed their findings to Apple, prompting the company to enhance security measures, including XProtect signature updates and Safari Safe Browsing blocks, to thwart this threat. Users are advised to ensure their systems are up-to-date to leverage these protections.
Internal Threat Mechanisms
Once the malicious script is activated, it launches a counterfeit application named systemupdate.app, which mimics a genuine macOS password request. Most users, thinking it legitimate, enter their credentials, which are then verified and sent to the attackers through Telegram.
Meanwhile, another fake application, softwareupdate.app, shows a convincing completion dialog to avoid arousing suspicion. The malware then gathers cryptocurrency wallet files, stored browser credentials, and other sensitive data, ensuring long-term access through persistent backdoors.
Defensive Measures and Recommendations
To counteract this threat, users should refrain from executing scripts or commands received via chat unless approved by trusted IT personnel. Organizations are encouraged to block downloaded AppleScript files and monitor for unauthorized changes to macOS databases. For cryptocurrency asset protection, using hardware wallets and regularly updating browser-stored credentials is advised.
Microsoft’s report highlights the importance of vigilance in the face of evolving cyber threats. By understanding the methods used by groups like Sapphire Sleet, macOS users can better safeguard their digital environments against these sophisticated attacks.
