2026-05-137 minhigh

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Threat Intelligence identified a macOS-focused campaign by North Korean threat actor Sapphire Sleet that uses social engineering to deliver malicious AppleScripts disguised as Zoom updates. The attack leverages built-in macOS utilities like curl and osascript to bypass security controls, manipulate TCC databases, harvest credentials, and exfiltrate sensitive data such as cryptocurrency wallets.

Sens:▲ 24hConf:highAnalyzed:2026-04-16reports

Authors: Microsoft Threat Intelligence

ActorsSapphire SleetNorth Korean state actor

TCC Bypass Sapphire Sleet AppleScript macOS Cryptocurrency

Source:Microsoft

IOCs · 4

domain
check02id[.]comC2 domain for the com.google.chromes.updaters backdoor.
filename
/Library/LaunchDaemons/com.google.webkit.service.plistPersistence mechanism for the icloudz backdoor.
filename
~/Library/Application Support/iCloud/icloudzReflective code loader backdoor deployed by the services binary.
sha256
2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419Malicious binary hash associated with the Sapphire Sleet campaign.

Key Takeaways

Sapphire Sleet uses social engineering to trick macOS users into running a malicious AppleScript disguised as a Zoom SDK update.
The attack relies on a cascading chain of curl commands piped to osascript to execute fileless payloads.
Threat actors bypass macOS TCC protections by manipulating the user-level TCC.db via Finder to grant AppleEvents permissions.
Credential harvesting is achieved through a fake system update dialog (systemupdate.app) that validates passwords against local directory services.
The campaign heavily targets cryptocurrency wallets, browser data, and Telegram sessions for exfiltration.

Affected Systems

macOS

Attack Chain

The attack begins with a socially engineered lure, prompting the user to open a fake Zoom SDK update (.scpt file) in macOS Script Editor. This triggers a cascading chain of curl commands that fetch and pipe AppleScript payloads directly to osascript for fileless execution. The malware deploys host monitoring components, bypasses TCC protections by manipulating the TCC.db file, and harvests user credentials via a fake system update prompt. Finally, it establishes persistence using a LaunchDaemon and systematically archives and exfiltrates sensitive data, including cryptocurrency wallets and browser profiles, to actor-controlled infrastructure.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: Yes
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No
Platforms: Microsoft Defender XDR, Microsoft Sentinel

The article provides multiple KQL advanced hunting queries for Microsoft Defender XDR and Microsoft Sentinel to detect suspicious osascript execution, TCC database manipulation, specific C2 network connections, and known malicious file hashes.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions with macOS support can monitor process creation (osascript, curl), file modifications (TCC.db, LaunchDaemons), and network connections. Network Visibility: Medium — C2 traffic uses standard ports (443, 8443) and Telegram APIs, which may blend with legitimate traffic, though specific C2 IPs/domains and custom user-agents can be detected. Detection Difficulty: Moderate — The use of native macOS tools (Script Editor, curl, osascript) and fileless execution makes initial access stealthy, but the subsequent TCC manipulation and LaunchDaemon creation provide solid detection opportunities.

Required Log Sources

Process Execution Logs
File Creation/Modification Logs
Network Connection Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for curl commands piping output directly to osascript, sh, or bash, indicating potential fileless payload execution.	Process Execution Logs (Command Line)	Execution	Low
Monitor for unauthorized processes copying, renaming, or modifying the macOS TCC database (TCC.db) in the user's Application Support directory.	File Activity Logs	Defense Evasion	Low
Search for the creation of new LaunchDaemon plist files that use deceptive naming conventions like com.google.* or com.apple.* but are not signed by the respective vendors.	File Creation Logs	Persistence	Medium
Detect the execution of the dscl utility with the -authonly flag, which may indicate an attempt to validate harvested local credentials.	Process Execution Logs (Command Line)	Credential Access	Medium

Control Gaps

Lack of strict application control for osascript
Insufficient monitoring of user-level TCC database modifications

Key Behavioral Indicators

Script Editor spawning curl or osascript
caffeinate processes launched by zsh or unknown binaries
ZIP archive creation in /tmp/ followed by curl uploads

False Positive Assessment

Recommendations

Immediate Mitigation

Block known C2 domains and IP addresses at the network perimeter.
Search for and quarantine identified malicious file hashes and LaunchDaemon plists.

Infrastructure Hardening

Restrict the execution of compiled AppleScript (.scpt) files downloaded from the internet.
Enforce policies that prevent osascript from executing scripts sourced from external locations.

User Protection

Deploy and configure EDR solutions (like Microsoft Defender for Endpoint on Mac) to monitor and block suspicious process chains.
Rotate browser-stored credentials and enforce hardware wallet policies for cryptocurrency assets.

Security Awareness

Educate users on social engineering tactics, specifically fake software updates and unsolicited technical interview requests.
Train users to verify the source of password prompts and avoid pasting sensitive data without validation.

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1059.002 - Command and Scripting Interpreter: AppleScript
T1059.004 - Command and Scripting Interpreter: Unix Shell
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
T1562.001 - Impair Defenses: Disable or Modify Tools
T1543.004 - Create or Modify System Process: Launch Daemon
T1056.002 - Input Capture: GUI Input Capture
T1005 - Data from Local System
T1048 - Exfiltration Over Alternative Protocol

Additional IOCs

Ips:
- 188[.]227[.]196[.]252 - Sapphire Sleet C2 IP address.
- 83[.]136[.]209[.]22 - Sapphire Sleet C2 IP address.
- 83[.]136[.]208[.]48 - Sapphire Sleet C2 IP address.
- 83[.]136[.]210[.]180 - Sapphire Sleet C2 IP address.
Domains:
- uw04webzoom[.]us - Sapphire Sleet C2 domain.
- uw05webzoom[.]us - Sapphire Sleet C2 domain.
- uw03webzoom[.]us - Sapphire Sleet C2 domain.
- ur01webzoom[.]us - Sapphire Sleet C2 domain.
- uv01webzoom[.]us - Sapphire Sleet C2 domain.
- uv03webzoom[.]us - Sapphire Sleet C2 domain.
- uv04webzoom[.]us - Sapphire Sleet C2 domain.
- ux06webzoom[.]us - Sapphire Sleet C2 domain.
Urls:
- hxxps://83[.]136[.]209[.]22:8444/download - Payload download URL.
- hxxps://104[.]145[.]210[.]107:8443/upload - Data exfiltration URL.
- hxxp://83[.]136[.]208[.]246:6783/api/daemon - C2 registration and beaconing endpoint.
File Hashes:
- 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 (sha256) - Malicious file hash associated with the campaign.
- 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 (sha256) - Malicious file hash associated with the campaign.
- 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5 (sha256) - Malicious file hash associated with the campaign.
- 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63 (sha256) - Malicious file hash associated with the campaign.
- 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c (sha256) - Malicious file hash associated with the campaign.
- a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640 (sha256) - Malicious file hash associated with the campaign.
File Paths:
- ~/Library/Google/com.google.chromes.updaters - Tertiary backdoor deployed by icloudz.
- ~/Library/Application Support/com.apple.TCC/TCC.db - macOS TCC database manipulated to grant AppleEvents permissions.
- ~/Library/Application Support/Authorization/auth.db - Persistent installation marker storing the path to the deployed services backdoor.
- /tmp/lg4err - Log file used by the malware to write execution or runtime errors.
- ~/Library/Services/services - Primary backdoor and persistence installer.
- ~/.zoom.log - Infection marker file to prevent redundant execution.
Command Lines:
- Purpose: Download and execute AppleScript payload in memory | Tools: curl, osascript | Stage: Execution | curl -A mac-cur1 ... | osascript
- Purpose: Validate harvested credentials against local directory services | Tools: dscl | Stage: Credential Access | dscl -authonly
- Purpose: Prevent system from sleeping during backdoor operations | Tools: caffeinate, nohup | Stage: Defense Evasion | nohup caffeinate
- Purpose: Inject unauthorized AppleEvents permissions into TCC database | Tools: sqlite3 | Stage: Privilege Escalation | sqlite3 /tmp/TCC.db "INSERT INTO access...
- Purpose: Compress staged data for exfiltration | Tools: zip, sh, nohup | Stage: Collection | nohup sh -c 'zip -r /tmp/...
Other:
- mac-cur1 - Malicious User-Agent string used for campaign tracking.
- mac-cur2 - Malicious User-Agent string used for campaign tracking.
- mac-cur3 - Malicious User-Agent string used for campaign tracking.
- mac-cur4 - Malicious User-Agent string used for campaign tracking.
- mac-cur5 - Malicious User-Agent string used for campaign tracking.