North Korean hackers have refined social engineering into a precision tool against macOS users. Fake job offers lead to phony interviews. Victims download what looks like a Zoom fix. Boom. Credentials gone. Crypto wallets emptied.
Sapphire Sleet, Microsoft’s name for this Lazarus Group offshoot also called APT38, has run this play since 2020. They hit finance pros hard—crypto firms, blockchain outfits, venture capital desks. Goal? Steal wallets for cash, grab trading tech and IP for Pyongyang’s coffers. Microsoft Security Blog lays it out in detail, based on their analysis of the full attack chain.
It starts on LinkedIn or similar. Bogus recruiters dangle remote gigs. Interviews get scheduled. Then the hook: a Zoom meeting invite with a glitch. ‘Download this SDK update,’ they say. File’s named Zoom SDK Update.scpt. Hash: 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419.
Victim double-clicks. macOS Script Editor pops up—trusted Apple app. Front: decoy instructions mimicking a real update. Below: thousands of blank lines hiding the payload. Script kicks off a legit softwareupdate command with a bogus flag. Looks normal. Then curl pipes in more AppleScript via osascript. User-agents like ‘mac-cur1’ through ‘mac-cur5’ tag each stage for tracking. No disk drops early on. All in memory.
And the chain cascades. First stage grabs an orchestrator, drops com.apple.cli—a 5MB Mach-O binary for host monitoring. Loops ps aux, beacons to 83.136.208.246:6783. Next: services backdoor, hidden as .services in ~/Library/Application Support/Authorization/. Becomes icloudz, loads reflectively with NSCreateObjectFileImageFromMemory. Persistence via com.google.webkit.service.plist LaunchDaemon.
Recon rolls. Gathers hostname, serial, OS date. Registers with C2 using UUIDs. But the prize? Credentials. systemupdate.app masquerades as update utility. Native macOS password dialog asks to ‘complete the update.’ Validates via dscl -authonly. Exfils to Telegram Bot API over 443. Decoy softwareupdate.app says ‘all done.’
TCC Bypass. The Sneaky Heart.
Sapphire Sleet sidesteps macOS Transparency, Consent, and Control. No prompts needed. They rename ~/Library/Application Support/com.apple.TCC via Finder. Copy TCC.db. SQLite inject: grant osascript AppleEvents to com.apple.finder (auth_value=2). Restore. Silent. Abuses native tools throughout.
Data haul? Massive. 575-line AppleScript zips browser creds from Chrome, Brave, Arc—including IndexedDB for Sui, Phantom, TronLink, Coinbase, OKX wallets. Keychain. Ledger Live, Exodus. Telegram sessions for takeover. SSH keys, shell history. Apple Notes. System logs. Staged in /tmp as tapp_
IOCs pile up: C2s like uw04webzoom.us (188.227.196.252:443), check02id.com:5202. Backdoors com.google.chromes.updaters (hash 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5). Marker .zoom.log.
Sherrod DeGrippo, Microsoft’s global threat intelligence GM, nails it: “Social engineering lets attackers route around hardened perimeters by convincing users to act on their behalf, turning a human into the vulnerability. It’s low-cost, hard to patch, and scales well.” The Register quoted her on how users expect ‘remote support’ like this—makes malice feel routine.
Microsoft tipped Apple. Response? Swift. XProtect signatures block the malware families. Safari’s Safe Browsing nukes the infra. Automatic on Macs. No user action needed. Still, Redmond urges: Block .scpt from untrusted sources. Watch TCC.db tweaks. Hunt unsigned binaries in Library dirs.
Broader Onslaught on Devs and Crypto.
This fits Sapphire Sleet’s pattern. Just weeks ago, they social-engineered Axios maintainer Jason Saayman. Fake firm, Slack workspace, spoofed meeting. Compromised npm account. Pushed plain-crypto-js dropper in axios 1.14.1, 0.30.4—100M+ weekly downloads. WAVESHAPER.V2 RAT hit Windows, macOS (/Library/Caches/com.apple.act.mond), Linux. Google Cloud Blog and Microsoft Security Blog tie it to North Korea nexus, overlapping UNC1069.
Earlier? Deepfakes in Zoom calls for crypto thefts. The Hacker News details UNC1069’s AI lures, WAVESHAPER, HIDDENCALL backdoors stealing keychains, Telegram, Notes. RustDoor, Koi Stealer via fake VS Code. Contagious Interview on GitHub. Billions swiped—$2B in 2025 alone per Chainalysis.
But social engineering scales. Why exploit when a fake profile works? North Korea embeds IT workers globally, per reports. They curse Kim Jong Un in interviews now to filter. Crypto firms vet remote devs harder. Finance pros: Pause on unsolicited recruiter DMs. Verify invites. Never run stranger scripts.
Layered defenses matter. macOS Gatekeeper, TCC hold—till humans click. Sapphire Sleet proves it. Low-tech wins. Train users. Monitor for curl | osascript, TCC changes, Telegram exfil. Apple’s patches help. But vigilance? Non-negotiable.
Pyongyang’s hackers adapt fast. From npm hijacks to Script Editor tricks. Finance sector bleeds. Expect more.


WebProNews is an iEntry Publication