Sapphire Sleet, also tracked as BlueNoroff and UNC1069, is targeting macOS users in venture capital, Web3, and cryptocurrency organizations through social engineering that delivers a fake Zoom SDK update. The infection chain uses Script Editor, `osascript`, `curl`, and shell commands, then deploys a fake macOS password prompt, abuses Finder and TCC.db to grant automation permissions, and persists through a LaunchDaemon that loads an in-memory beacon. The malware collects cryptocurrency wallets, browser extension data, Telegram sessions, SSH keys, and Apple Notes, then stages archives for upload and exfiltration. Although some original infrastructure was likely mitigated, the native-binary abuse, TCC manipulation, and LaunchDaemon persistence remain durable detection opportunities.