Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Threat Intelligence uncovered a macOS-focused campaign by North Korean state actor Sapphire Sleet that uses social engineering to bypass security protections and steal credentials and cryptocurrency. The threat actor impersonates legitimate software updates, tricking users into manually executing malicious AppleScript files disguised as video conferencing tools or SDK updates. By leveraging user-initiated execution through AppleScript and Terminal commands, Sapphire Sleet operates outside macOS protections including TCC, Gatekeeper, and notarization checks. The actor targets cryptocurrency, venture capital, and blockchain organizations to steal digital assets. Apple has implemented updates to detect and block associated malware. Organizations should maintain layered security defenses, keep devices updated, and train users to recognize social engineering tactics to mitigate this threat.

The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data. The post Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise appeared first on Microsoft Security Blog .

Microsoft Threat Intelligence uncovered a macOS-focused campaign by North Korean state actor Sapphire Sleet that uses social engineering to bypass security protections and steal credentials and cryptocurrency. The threat actor impersonates legitimate software updates, tricking users into manually executing malicious AppleScript files disguised as video conferencing tools or SDK updates. By leveraging user-initiated execution through AppleScript and Terminal commands, Sapphire Sleet operates outside macOS protections including TCC, Gatekeeper, and notarization checks. The actor targets cryptocurrency, venture capital, and blockchain organizations to steal digital assets. Apple has implemented updates to detect and block associated malware. Organizations should maintain layered security defenses, keep devices updated, and train users to recognize social engineering tactics to mitigate this threat. The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data. The post Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise appeared first on Microsoft Security Blog . In this article Sapphire Sleet’s campaign lifecycle Defending against Sapphire Sleet intrusion activity Microsoft Defender detection and hunting guidance Indicators of compromise Executive summary Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. This activity highlights how convincing user prompts and trusted system tools can be abused, and why awareness and layered security defenses remain critical. Microsoft Threat Intelligence identified a campaign by North Korean state actor Sapphire Sleet demonstrating new combinations of macOS-focused execution patterns and techniques, enabling the threat actor to compromise systems through social engineering rather than software exploitation. In this campaign, Sapphire Sleet takes advantage of user‑initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries. While the techniques themselves are not novel, this analysis highlights execution patterns and combinations that Microsoft has not previously observed for this threat actor, including how Sapphire Sleet orchestrates these techniques together and uses AppleScript as a dedicated, late‑stage credential‑harvesting component integrated with decoy update workflows. After discovering the threat, Microsoft shared details of this activity with Apple as part of our responsible disclosure process. Apple has since implemented updates to help detect and block infrastructure and malware associated with this campaign. We thank the Apple security team for their collaboration in addressing this activity and encourage macOS users to keep their devices up to date with the latest security protections. This activity demonstrates how threat actors continue to rely on user interaction and trusted system utilities to bypass macOS platform security protections, rather than exploiting traditional software vulnerabilities. By persuading users to manually execute AppleScript or Terminal‑based commands, Sapphire Sleet shifts execution into a user‑initiated context, allowing the activity to proceed outside of macOS protections such as Transparency, Consent, and Control (TCC), Gatekeeper, quarantine enforcement, and notarization checks. Sapphire Sleet achieves a highly reliable infection chain that lowers operational friction and increases the likelihood of successful compromise—posing an elevated risk to organizations and individuals involved in cryptocurrency, digital assets, finance, and similar high‑value targets that Sapphire Sleet is known to target. In this blog, we examine the macOS‑specific attack chain observed in recent Sapphire Sleet intrusions, from initial access using malicious .scpt files through multi-stage payload delivery, credential harvesting using fake system dialogs, manipulation of the macOS TCC database, persistence using launch daemons, and large-scale data exfiltration. We also provide actionable guidance, Microsoft Defender detections, hunting queries, and indicators of compromise (IOCs) to help defenders identify similar threats and strengthen macOS security posture. Sapphire Sleet’s campaign lifecycle Initial access and social engineering Sapphire Sleet is a North Korean state actor active since at least March...