North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks

North Korean cyber units have expanded beyond Windows‑centric espionage, now targeting macOS environments that house high‑value financial data. The recent campaigns illustrate a sophisticated blend of social engineering and native macOS tooling. By hijacking trusted communication channels like Telegram and impersonating recruiters or meeting organizers, the actors increase the likelihood of victim compliance. This shift underscores the regime’s adaptability and its focus on sectors where stolen credentials can be monetized quickly, such as banking and cryptocurrency trading.

The ClickFix method exploits users’ familiarity with video‑conferencing platforms, presenting a bogus connection issue that prompts a copy‑and‑paste Terminal command. Once executed, the Mach‑O Man binary harvests Keychain entries, browser sessions, SSH keys, and even Apple Notes, then tunnels the data back through Telegram’s API. In parallel, the Sapphire Sleet group distributes compiled AppleScript files that automatically open in Script Editor, spawning arbitrary shell commands and establishing persistence. Both vectors bypass many traditional antivirus signatures by leveraging legitimate macOS components, making detection challenging for organizations that rely on signature‑based defenses.

Mitigation requires a layered approach: enforce strict application whitelisting, disable automatic execution of downloaded scripts, and monitor for anomalous Telegram traffic. Security teams should also implement robust phishing simulations that include macOS‑specific scenarios and educate executives about the risks of unsolicited meeting links. As nation‑state actors continue to refine macOS attack kits, enterprises must treat Apple devices with the same rigor historically reserved for Windows endpoints, integrating endpoint detection and response (EDR) solutions that can flag unusual script activity and network exfiltration patterns.