Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign
Contents
We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet (also tracked as BlueNoroff/UNC1069).
The campaign specifically targets macOS environments within high-value financial sectors, including venture capital firms, Web3 developers, and cryptocurrency organizations. Historically active since 2020, Sapphire Sleet has evolved its tradecraft from simple malicious macros to sophisticated, native macOS components designed to systematically strip target endpoints of cryptographic keys and operational identities.
This latest activity represents a sharp shift toward trust abuse over traditional technical exploitation. By leveraging signed, built-in system applications like the Apple Script Editor and Finder, the malware operates outside traditional macOS security enforcement boundaries, suppresses system security alerts, and executes arbitrary code directly under the guise of an authentic user update. This aligns with broader public reporting on macOS-focused intrusion tradecraft.
Initial access relied on targeted social engineering in which victims were instructed to execute a fake Zoom SDK …
The campaign specifically targets macOS environments within high-value financial sectors, including venture capital firms, Web3 developers, and cryptocurrency organizations. Historically active since 2020, Sapphire Sleet has evolved its tradecraft from simple malicious macros to sophisticated, native macOS components designed to systematically strip target endpoints of cryptographic keys and operational identities.
This latest activity represents a sharp shift toward trust abuse over traditional technical exploitation. By leveraging signed, built-in system applications like the Apple Script Editor and Finder, the malware operates outside traditional macOS security enforcement boundaries, suppresses system security alerts, and executes arbitrary code directly under the guise of an authentic user update. This aligns with broader public reporting on macOS-focused intrusion tradecraft.
Initial access relied on targeted social engineering in which victims were instructed to execute a fake Zoom SDK …
IoC
http://check02id.com
http://83.136.210.180
http://uw05webzoom.us
http://uw03webzoom.us
http://uv01webzoom.us
http://104.145.210.107
http://ux06webzoom.us
http://uv04webzoom.us
http://83.136.208.246
http://83.136.208.48
http://uv03webzoom.us
http://83.136.209.22
http://104.145.210.107:6783
http://uw04webzoom.us
http://ur01webzoom.us
104.145.210.107
83.136.209.22
83.136.208.246
83.136.208.48
83.136.210.180
8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c
a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640
5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5
2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419
05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53
5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7
95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63
http://83.136.210.180
http://uw05webzoom.us
http://uw03webzoom.us
http://uv01webzoom.us
http://104.145.210.107
http://ux06webzoom.us
http://uv04webzoom.us
http://83.136.208.246
http://83.136.208.48
http://uv03webzoom.us
http://83.136.209.22
http://104.145.210.107:6783
http://uw04webzoom.us
http://ur01webzoom.us
104.145.210.107
83.136.209.22
83.136.208.246
83.136.208.48
83.136.210.180
8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c
a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640
5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5
2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419
05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53
5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7
95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63