Microsoft Threat Intelligence identified a macOS-focused campaign by North Korean threat actor Sapphire Sleet that uses social engineering to deliver malicious AppleScripts disguised as Zoom updates. The attack leverages built-in macOS utilities like curl and osascript to bypass security controls, manipulate TCC databases, harvest credentials, and exfiltrate sensitive data such as cryptocurrency wallets.