Security researchers have uncovered a sophisticated macOS-focused malware campaign linked to the North Korean threat group Sapphire Sleet, also known as BlueNoroff or UNC1069.

According to LevelBlue’s SpiderLabs, the campaign specifically targets cryptocurrency organizations, venture capital firms, and Web3 developers.

Rather than exploiting unknown vulnerabilities in built-in system applications, the attackers rely on social engineering to persuade victims into installing malware disguised as a legitimate Zoom software update.

The North Korean hackers contact the victim organization via LinkedIn, Telegram, email, or other professional platforms, posing as recruiters, investors, or business partners. Once contact has been established, they will try to set up a video conference call. But beforehand, victims are instructed to install a fake Zoom SDK update.

However, the file that victims download isn’t a Zoom update. Instead, the file contains a malicious AppleScript that initiates a multi-stage infection chain.

Once the initial access has been established, the malware instructs trusted macOS components to download additional payloads to gain persistent access and evade security controls. It also starts communicating with a command-and-control (C2) server at regular intervals.

Next, a fake application called systemupdate.app displays a prompt that resembles a native macOS authentication window to harvest the user’s login password. Furthermore, the malware abuses the native Finder application to bypass any operating system security prompts.

The conversation on this topic is live. Join in the discussion.

Lastly, the malicious software searches the compromised device for valuable information, including cryptocurrency software wallets, local browser extension data, Telegram session information, local SSH keys, and unencrypted records from Apple Notes.

This data is then compressed and sent to servers under North Korean control.

SpiderLabs believes that this malware campaign can be attributed to Sapphire Sleet because the tactics, techniques, and procedures (TTPs) are familiar to this specific hacking group. The gang is financially motivated and has a known record of stealing cryptocurrency and other financial assets from high-profile victims in recent years.

“This latest activity represents a sharp shift toward trust abuse over traditional technical exploitation,” researchers say, noting that this campaign shows an increasing sophistication in targeting macOS users.

“By leveraging signed, built-in system applications like the Apple Script Editor and Finder, the malware operates outside traditional macOS security enforcement boundaries, suppresses system security alerts, and executes arbitrary code directly under the guise of an authentic user update. This aligns with broader public reporting on macOS-focused intrusion tradecraft.”

---

Unlock more exclusive Cybernews content on YouTube.