Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Threat Intelligence identified a sophisticated macOS intrusion campaign attributed to the North Korean state actor Sapphire Sleet. This campaign bypasses native macOS security protections like Gatekeeper and TCC by leveraging social engineering to trick users into manually executing malicious AppleScript files disguised as software updates, such as a fake Zoom SDK. The primary objective is stealing credentials, cryptocurrency assets, and sensitive data from high-value targets in the finance and blockchain sectors. Unlike traditional exploits, this activity relies on user interaction to establish persistence and exfiltrate data. Microsoft collaborated with Apple to block associated infrastructure and malware. Defenders are advised to maintain layered security defenses, keep devices updated, and educate users on recognizing social engineering lures involving manual script execution to mitigate the elevated risk posed to organizations handling digital assets.

The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data. The post Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise appeared first on Microsoft Security Blog .

Microsoft Threat Intelligence identified a sophisticated macOS intrusion campaign attributed to the North Korean state actor Sapphire Sleet. This campaign bypasses native macOS security protections like Gatekeeper and TCC by leveraging social engineering to trick users into manually executing malicious AppleScript files disguised as software updates, such as a fake Zoom SDK. The primary objective is stealing credentials, cryptocurrency assets, and sensitive data from high-value targets in the finance and blockchain sectors. Unlike traditional exploits, this activity relies on user interaction to establish persistence and exfiltrate data. Microsoft collaborated with Apple to block associated infrastructure and malware. Defenders are advised to maintain layered security defenses, keep devices updated, and educate users on recognizing social engineering lures involving manual script execution to mitigate the elevated risk posed to organizations handling digital assets. The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data. The post Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise appeared first on Microsoft Security Blog . In this article Sapphire Sleet’s campaign lifecycle Defending against Sapphire Sleet intrusion activity Microsoft Defender detection and hunting guidance Indicators of compromise Executive summary Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. This activity highlights how convincing user prompts and trusted system tools can be abused, and why awareness and layered security defenses remain critical. Microsoft Threat Intelligence identified a campaign by North Korean state actor Sapphire Sleet demonstrating new combinations of macOS-focused execution patterns and techniques, enabling the threat actor to compromise systems through social engineering rather than software exploitation. In this campaign, Sapphire Sleet takes advantage of user‑initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries. While the techniques themselves are not novel, this analysis highlights execution patterns and combinations that Microsoft has not previously observed for this threat actor, including how Sapphire Sleet orchestrates these techniques together and uses AppleScript as a dedicated, late‑stage credential‑harvesting component integrated with decoy update workflows. After discovering the threat, Microsoft shared details of this activity with Apple as part of our responsible disclosure process. Apple has since implemented updates to help detect and block infrastructure and malware associated with this campaign. We thank the Apple security team for their collaboration in addressing this activity and encourage macOS users to keep their devices up to date with the latest security protections. This activity demonstrates how threat actors continue to rely on user interaction and trusted system utilities to bypass macOS platform security protections, rather than exploiting traditional software vulnerabilities. By persuading users to manually execute AppleScript or Terminal‑based commands, Sapphire Sleet shifts execution into a user‑initiated context, allowing the activity to proceed outside of macOS protections such as Transparency, Consent, and Control (TCC), Gatekeeper, quarantine enforcement, and notarization checks. Sapphire Sleet achieves a highly reliable infection chain that lowers operational friction and increases the likelihood of successful compromise—posing an elevated risk to organizations and individuals involved in cryptocurrency, digital assets, finance, and similar high‑value targets that Sapphire Sleet is known to target. In this blog, we examine the macOS‑specific attack chain observed in recent Sapphire Sleet intrusions, from initial access using malicious .scpt files through multi-stage payload delivery, credential harvesting using fake system dialogs, manipulation of the macOS TCC database, persistence using launch daemons, and large-scale data exfiltration. We also provide actionable guidance, Microsoft Defender detections, hunting queries, and indicators of compromise (IOCs) to help defenders identify similar threats and strengthen macOS security posture. Sapphire Sleet’s campaign lifecycle Initial access and social engineering...