Back

North Korean Sapphire Sleet Targets macOS Users in New Social Engineering Campaign

Severity: High (Score: 72.5)

Sources: Nknews, Socprime, Computerweekly, www.korearisk.com, Blogs.Microsoft

Summary

A North Korean cybercrime group known as Sapphire Sleet has launched a social engineering campaign targeting macOS users, as reported by Microsoft's Threat Intelligence unit. The campaign involves tricking users into executing malicious files disguised as software updates, allowing the attackers to steal credentials, cryptocurrency assets, and personal data. This shift in tactics marks a move away from exploiting software vulnerabilities to a user-initiated attack model, which bypasses macOS security features. The group has been operational since March 2020 and primarily targets the financial sector, including cryptocurrency and blockchain organizations. Microsoft has shared details of the campaign with Apple as part of its responsible disclosure process. Sapphire Sleet is believed to be linked to the notorious Lazarus Group and aims to generate revenue through the theft of crypto wallets and sensitive information. The attack method employs fake recruitment profiles to lure victims into installing malware. The campaign highlights the persistent threat posed by state-sponsored actors in the cybersecurity landscape. Key Points: • Sapphire Sleet targets macOS users through social engineering tactics. • Attackers trick users into executing malicious files, bypassing macOS security. • The campaign focuses on stealing cryptocurrency and sensitive data.

Key Entities

  • Sapphire Sleet (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Lazarus Operation (campaign)
  • Financial (industry)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1059.005 - Visual Basic (mitre_attack)
  • MacOS (platform)
  • Zoom (platform)
  • AppleScript (tool)
  • Curl (tool)
  • Osascript (tool)
  • PowerShell (tool)
  • Script Editor (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed