Microsoft has uncovered a macOS intrusion campaign tied to North Korea’s Sapphire Sleet that used fake Zoom update files to trick victims into installing malware. Microsoft said Apple has since updated protections to help block the campaign’s malware and infrastructure.
Microsoft said Apple has deployed Safari Safe Browsing protections to block the campaign’s malicious domains and XProtect signatures to detect and block the malware families involved.
The bogus Zoom updates are capable of stealing credentials, establishing persistence and siphoning data, according to a Microsoft research blog titled “Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise.”
According to Microsoft, the campaign did not depend on a software vulnerability. Instead, it relied on social engineering: Targets were pushed to download a file named “Zoom SDK Update.scpt,” a compiled AppleScript that opens by default in Apple’s Script Editor. Microsoft said the file was dressed up with decoy update instructions so it looked like a routine software update rather than malware.
Microsoft said the lure fit a familiar Sapphire Sleet playbook. The North Korean group used fake recruiter profiles on social and professional networking platforms, discussed supposed job opportunities with targets, then steered them into a technical interview that required installing what looked like a Zoom SDK update. In the observed case, that file was “Zoom SDK Update.scpt,” a compiled AppleScript that opened in macOS Script Editor and hid its malicious logic beneath decoy update instructions.
New Ploy, Same Old Song and Dance
The ploy is familiar. Attackers have recently used fake browser updates to deliver infostealers, trojanized CPU-Z and HWMonitor installers to plant remote-access malware, and poisoned npm package updates to slip malicious code into developer environments. The lure changes, but the trick is the same: to make malware look like maintenance.
Earlier this month Researchers at ANY.RUN uncovered a social-engineering ClickFix campaign targeting macOS users that attempts to trick targets into running malicious commands.
Microsoft said the lure followed a familiar Sapphire Sleet pattern: fake recruiter or professional outreach, a supposed job opportunity, and then instructions to install what looked like a Zoom SDK update before an interview or meeting.
Microsoft said in its most recent campaign, Sapphire Sleet focused on tricking users into executing the malware and employed native macOS tools to get around normal protections. Those tools include Gatekeeper and Transparency, Consent, and Control safeguards. Apple’s own support documentation says Gatekeeper, notarization and XProtect are designed to verify software, block known malware and remediate malware that executes, Microsoft noted.
Post-infection Analysis
Once launched, the attack moved through multiple stages. Microsoft said the AppleScript fetched additional payloads, displayed fake password dialogs, manipulated the TCC database, installed launch daemons for persistence and then exfiltrated passwords, cryptocurrency assets and other personal data.
Microsoft is advising macOS users to be wary of update prompts delivered through chats, recruiter workflows or links. Only trust software updates from the App Store, built-in update mechanisms or the vendor’s verified site rather than ad hoc files sent during an interaction, Microsoft said.
Indicators of compromise include suspicious AppleScript execution, unexpected changes to the macOS TCC database, fake password prompts, new launch daemons and outbound connections to known malicious domains and IP addresses.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
