Sapphire Sleet Targets macOS
Essential information
- Published
- 29/05/2026 10:15
- Modified
- 29/05/2026 10:39
- Tags
- 2026-05-29
- Related entities
- 12 observables, 9 others
Description
We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet (also tracked as BlueNoroff / UNC1069). The campaign specifically targets macOS environments within high-value financial sectors, including venture capital firms, Web3 developers, and cryptocurrency organizations. By leveraging signed, built-in system applications like the Apple Script Editor and Finder, the malware operates outside traditional macOS security enforcement boundaries, suppresses system security alerts, and executes arbitrary code directly under the guise of an authentic user update. This aligns with broader public reporting on macOS-focused intrusion tradecraft. Initial access relied on targeted social engineering in which victims were instructed to execute a fake Zoom SDK update component, leading to user-assisted execution and follow-on payload delivery.