Sapphire Sleet’s Fake Zoom SDK Preys on macOS Users Through Social Engineering

A sophisticated cyber campaign orchestrated by North Korean threat actor Sapphire Sleet reveals a significant shift toward social engineering over traditional software exploitation on macOS platforms. The attackers bypass Apple’s built-in security by tricking users into executing malicious files disguised as legitimate software updates.

The Lure: Fake Zoom SDK Update

The campaign centers on a malicious file named “Zoom SDK Update.scpt” – a compiled AppleScript presented as a routine software update. Victims are typically targeted through fraudulent recruiter profiles on professional networking platforms, with aggressors guiding them through a staged interview process. As part of the ruse, victims are instructed to download and run the file, which launches in macOS’s trusted Script Editor application.

Initial access: The .scpt lure file as seen in macOS Script Editor
Initial access: The .scpt lure file as seen in macOS Script Editor (Source: Microsoft)

The script employs obfuscation techniques: it begins with benign content mimicking legitimate update instructions before hiding thousands of lines of malicious code. Once executed, it validates its authenticity by invoking benign system processes before silently downloading additional payloads using curl. These payloads are executed in memory via osascript, allowing the attackers to evade file-based detection.

Infection Chain: From Persistence to Data Theft

The multi-stage attack establishes persistence through launch daemons and conducts reconnaissance while deploying multiple backdoors. A key component, disguised as com.apple.cli, continuously gathers system information and communicates with attacker-controlled infrastructure. Initial victim credentials are validated locally and exfiltrated via Telegram API, with a decoy app displaying a fake “update complete” message to mask the intrusion.

C2 registration with device UUID and campaign identifier
C2 registration with device UUID and campaign identifier (Source: Microsoft)

The campaign uniquely exploits macOS Transparency, Consent, and Control (TCC) protections by manipulating the TCC database. This escalation grants unauthorized AppleScript access to sensitive system components without triggering user prompts, enabling large-scale data collection targeting browser data, cryptocurrency wallets, SSH keys, Telegram sessions, Apple Notes, and system logs.

Process tree showing cascading execution from Script Editor
Process tree showing cascading execution from Script Editor (Source: Microsoft)

Credential Harvesting and Targeted Impact

A malicious application named “systemupdate.app” presents a macOS password dialog that closely mimics legitimate system prompts. This false authentication prompt exfiltrates credentials to attackers, posing severe risks to cryptocurrency and financial systems due to specific targeting of wallet extensions and key material.

Password popup given by fake systemupdate.app
Password popup given by fake systemupdate.app (Source: Microsoft)

Security Implications and Mitigation

Microsoft’s disclosure prompted Apple to deploy XProtect signatures and Safe Browsing updates. However, the campaign underscores a critical vulnerability: even fully patched systems remain susceptible when users are deceived into initiating malicious actions. The incident highlights a broader trend where attackers prioritize social engineering over exploits, leveraging legitimate tools like AppleScript.

As Sapphire Sleet refines tactics to abuse native applications, security increasingly depends on user awareness, strict execution controls, and layered defense strategies beyond platform protections. Organizations should implement multi-factor authentication (MFA) and training to combat evolving social engineering threats.

Related Articles

Back to top button