Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise
Contents
Executive summary
Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. This activity highlights how convincing user prompts and trusted system tools can be abused, and why awareness and layered security defenses remain critical.
Microsoft Threat Intelligence identified a campaign by North Korean state actor Sapphire Sleet demonstrating new combinations of macOS-focused execution patterns and techniques, enabling the threat actor to compromise systems through social engineering rather than software exploitation. In this campaign, Sapphire Sleet takes advantage of user‑initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries. While the techniques themselves are not novel, this …
Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. This activity highlights how convincing user prompts and trusted system tools can be abused, and why awareness and layered security defenses remain critical.
Microsoft Threat Intelligence identified a campaign by North Korean state actor Sapphire Sleet demonstrating new combinations of macOS-focused execution patterns and techniques, enabling the threat actor to compromise systems through social engineering rather than software exploitation. In this campaign, Sapphire Sleet takes advantage of user‑initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries. While the techniques themselves are not novel, this …
IoC
http://uw04webzoom.us
http://83.136.208.246:6783
http://188.227.196.252
https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
http://check02id.com
http://83.136.208.246
https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering
https://x.com/patrickwardle/status/2009008936771543341?s=46
https://x.com/malwrhunterteam/status/2008831892616081508
http://83.136.208.48
http://104.145.210.107
https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthie/117842/
http://83.136.209.22
http://83.136.210.180
83.136.208.246
188.227.196.252
83.136.209.22
83.136.208.48
83.136.210.180
104.145.210.107
2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419
05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53
5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5
8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c
a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640
95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63
5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7
http://83.136.208.246:6783
http://188.227.196.252
https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
http://check02id.com
http://83.136.208.246
https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering
https://x.com/patrickwardle/status/2009008936771543341?s=46
https://x.com/malwrhunterteam/status/2008831892616081508
http://83.136.208.48
http://104.145.210.107
https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthie/117842/
http://83.136.209.22
http://83.136.210.180
83.136.208.246
188.227.196.252
83.136.209.22
83.136.208.48
83.136.210.180
104.145.210.107
2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419
05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53
5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5
8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c
a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640
95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63
5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7