North Korean Sapphire Sleet Targets macOS Users in New Social Engineering Campaign

North Korean Sapphire Sleet Targets macOS Users in New Social Engineering Campaign

First seen 17 Apr 2026, 14:30 UTC Blogs.MicrosoftNknewsComputerweeklySocprimeScworld+2 82% similarity 72.5

Article Content

Browse articles
ThreatCluster

A North Korean cybercrime group known as Sapphire Sleet has launched a social engineering campaign targeting macOS users, as reported by Microsoft's Threat Intelligence unit. The campaign involves tricking users into executing malicious files disguised as software updates, allowing the attackers to steal credentials, cryptocurrency assets, and personal data. This shift in tactics marks a move away from exploiting software vulnerabilities to a user-initiated attack model, which bypasses macOS security features. The group has been operational since March 2020 and primarily targets the financial sector, including cryptocurrency and blockchain organizations. Microsoft has shared details of the campaign with Apple as part of its responsible disclosure process. Sapphire Sleet is believed to be linked to the notorious Lazarus Group and aims to generate revenue through the theft of crypto wallets and sensitive information. The attack method employs fake recruitment profiles to lure victims into installing malware. The campaign highlights the persistent threat posed by state-sponsored actors in the cybersecurity landscape.

Key Points: • Sapphire Sleet targets macOS users through social engineering tactics. • Attackers trick users into executing malicious files, bypassing macOS security. • The campaign focuses on stealing cryptocurrency and sensitive data.

ThreatCluster AI

Timeline

2026-04-17
Microsoft reports on Sapphire Sleet's macOS campaign
2026-04-17
Sapphire Sleet identified as the threat actor
2026-04-17
Microsoft shares findings with Apple

Community

Browse all →