TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Threat Intelligence and Microsoft Defender Security Research Team · 2026-04-16 · Read original ↗

ATT&CK techniques detected

60 predictions
T1548.006TCC Manipulation
100%
“246 ", " 83. 136. 209. 22 ", " 83. 136. 208. 48 ", " 83. 136. 210. 180 ", " 104. 145. 210. 107 " ] ) ; devicenetworkevents | where timestamp > ago ( 30d ) | where remoteurl has _ any ( c2 _ domains ) or remoteip in ( c2 _ ips ) | project timestamp, deviceid, devicename, remoteurl…”
T1548.006TCC Manipulation
99%
“it establishes outbound communication with threat actor ‑ controlled infrastructure, connecting to the domain check02id [. ] com over port 5202. the process then enters a precise 60 ‑ second beaconing loop. during each cycle, it executes minimal commands such as whoami to confirm…”
T1548.006TCC Manipulation
99%
“tcc. db ) is itself tcc - protected — processes without full disk access ( fda ) cannot read or modify it. sapphire sleet circumvents this by directing finder, which holds fda by default on macos, to rename the com. apple. tcc folder. once renamed, the tcc database file can be co…”
T1543.004Launch Daemon
97%
“filerenamed " ) | project timestamp, deviceid, devicename, actiontype, folderpath, initiatingprocessfilename, initiatingprocesscommandline suspicious launchdaemon creation masquerading as legitimate services search for launchdaemon plist files created in / library / launchdaemons…”
T1555.003Credentials from Web Browsers
97%
“includes saved credentials, cookies, autofill data, browsing history, bookmarks, and extension ‑ specific storage. particular focus is placed on indexeddb entries associated with cryptocurrency wallet extensions, where wallet keys and transaction data are stored. only indexeddb e…”
T1059.004Unix Shell
97%
“##loudz shares the same binary as. services, it operates as a reflective code loader — it uses the macos nscreateobjectfileimagefrommemory api to load additional payloads received from its c2 infrastructure directly into memory, rather than writing them to disk and executing them…”
T1543.004Launch Daemon
96%
“##dz deploys an additional ( tertiary ) backdoor, com. google. chromes. updaters, to disk at ~ / library / google / com. google. chromes. updaters. the selected directory and file name closely resemble legitimate google application data, helping the file blend into the user ’ s h…”
T1071.001Web Protocols
96%
“##4webzoom. us ", " uw05webzoom. us ", " uw03webzoom. us ", " ur01webzoom. us ", " uv01webzoom. us ", " uv03webzoom. us ", " uv04webzoom. us ", " ux06webzoom. us ", " check02id. com " ] ) ; let ioc _ ips = dynamic ( [ " 188. 227. 196. 252 ", " 83. 136. 208. 246 ", " 83. 136. 209.…”
T1059.002AppleScript
96%
“##date. app after performing reconnaissance, the mac - cur1 orchestrator begins parallel operations. during the mac ‑ cur2 stage of execution ( independent from the mac - cur1 stage ), sapphire sleet delivers an applescript payload that is executed through osascript. this stage i…”
T1119Automated Collection
91%
“curl uploads matching the staging - and - exfiltration pattern used for browser data, crypto wallets, telegram sessions, ssh keys, and apple notes. deviceprocessevents | where timestamp > ago ( 30d ) | where ( processcommandline has " zip " and processcommandline has " / tmp / " …”
T1555.003Credentials from Web Browsers
90%
“assets should enforce hardware wallet policies and rotate browser - stored credentials regularly. encourage users to use web browsers that support microsoft defender smartscreen like microsoft edge — available on macos and various platforms — which identifies and blocks malicious…”
T1059.002AppleScript
89%
“grant appleevents permissions to osascript without user consent — a prerequisite for the large - scale data exfiltration phase. look for processes copying, modifying, or overwriting ~ / library / application support / com. apple. tcc / tcc. db. audit launchdaemon and launchagent …”
T1059.007JavaScript
89%
“executed. execution and payload delivery cascading curl - to - osascript execution when the user opens the zoom sdk update. scpt file, macos launches the file in script editor, allowing sapphire sleet to transition from a single lure file to a multi - stage, dynamically fetched p…”
T1204.002Malicious File
88%
“##cy wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms. sapphire sleet mitigating the axios npm supply chain compromise › recent campaigns demonstrate expanded execution mechanisms across operati…”
T1059.002AppleScript
88%
“##pt file is crafted to appear as a legitimate zoom sdk update when opened in the macos script editor app, beginning with a large decoy comment block that mimics benign upgrade instructions and gives the impression of a routine software update. to conceal its true behavior, the s…”
T1059.002AppleScript
88%
“softwareupdate. app does not attempt to collect credentials. instead, it displays a convincing “ system update complete ” dialog to the user, signaling that the supposed zoom sdk update has finished successfully. this final step closes the social engineering loop : the user initi…”
T1543.004Launch Daemon
85%
“softwareupdate. app does not attempt to collect credentials. instead, it displays a convincing “ system update complete ” dialog to the user, signaling that the supposed zoom sdk update has finished successfully. this final step closes the social engineering loop : the user initi…”
T1555.003Credentials from Web Browsers
84%
“/ tmp /, and user - specific application support folders. deviceprocessevents | where timestamp > ago ( 30d ) | where folderpath has _ any ( " library / services / services ", " application support / icloud / icloudz ", " library / google / com. google. chromes. updaters ", " / p…”
T1657Financial Theft
80%
“chain that lowers operational friction and increases the likelihood of successful compromise — posing an elevated risk to organizations and individuals involved in cryptocurrency, digital assets, finance, and similar high ‑ value targets that sapphire sleet is known to target. in…”
T1059.002AppleScript
78%
“the following threat analytics reports in the defender portal ( requires license for at least one defender xdr product ) to get the most up - to - date information about the threat actor, malicious activity, and techniques discussed in this blog. these reports provide the intelli…”
T1195.002Compromise Software Supply Chain
74%
“##pt file is crafted to appear as a legitimate zoom sdk update when opened in the macos script editor app, beginning with a large decoy comment block that mimics benign upgrade instructions and gives the impression of a routine software update. to conceal its true behavior, the s…”
T1071.001Web Protocols
74%
“mac - cur5 ", " - a audio ", " - a beacon " ) | project timestamp, deviceid, devicename, accountname, processcommandline, initiatingprocessfilename, initiatingprocesscommandline detect connectivity with known c2 infrastructure search for network connections to the sapphire sleet …”
T1204.002Malicious File
73%
“4144 - 9a4e - 6b58b714d599. defending against sapphire sleet intrusion activity as part of a coordinated response to this activity, apple has implemented platform - level protections to help detect and block infrastructure and malware associated with this campaign. apple has depl…”
T1543.001Launch Agent
73%
“softwareupdate. app does not attempt to collect credentials. instead, it displays a convincing “ system update complete ” dialog to the user, signaling that the supposed zoom sdk update has finished successfully. this final step closes the social engineering loop : the user initi…”
T1620Reflective Code Loading
72%
“| where processcommandline has " - authonly " | project timestamp, deviceid, devicename, accountname, processcommandline, initiatingprocessfilename, initiatingprocesscommandline telegram bot api exfiltration detection search for network connections to telegram bot api endpoints, …”
T1204.002Malicious File
71%
“dissecting sapphire sleet ’ s macos intrusion from lure to compromise executive summary microsoft threat intelligence uncovered a macos ‑ focused cyber campaign by the north korean threat actor sapphire sleet that relies on social engineering rather than software vulnerabilities.…”
T1543.001Launch Agent
69%
“##dz deploys an additional ( tertiary ) backdoor, com. google. chromes. updaters, to disk at ~ / library / google / com. google. chromes. updaters. the selected directory and file name closely resemble legitimate google application data, helping the file blend into the user ’ s h…”
T1041Exfiltration Over C2 Channel
68%
“staging files are deleted to reduce forensic traces. collection and exfiltration with tcc bypassed, credentials stolen, and backdoors deployed, sapphire sleet launches the next phase of attack : a 575 - line applescript payload that systematically collects, stages, compresses, an…”
T1059.004Unix Shell
66%
“final location before the temporary file is removed. as part of installation, the malware creates a file named auth. db under ~ / library / application support / authorization /, which stores the path to the deployed services backdoor and serves as a persistent installation marke…”
T1204.002Malicious File
62%
“observed for this threat actor, including how sapphire sleet orchestrates these techniques together and uses applescript as a dedicated, late ‑ stage credential ‑ harvesting component integrated with decoy update workflows. after discovering the threat, microsoft shared details o…”
T1204.002Malicious File
61%
“##events, devicefileevents, deviceimageloadevents, deviceprocessevents, devicenetworkevents, securityevent, threatintelligenceindicator ) timegenerated between ( ( selectedtimestamp - 1m ).. ( selectedtimestamp + 90d ) ) and ( sha256 in ( filesha256 ) or initiatingprocesssha256 i…”
T1204.002Malicious File
61%
“##aries downloaded from the internet. where feasible, enforce policies that prevent osascript from executing scripts sourced from external locations. always inspect and verify files downloaded from external sources, including compiled applescript (. scpt ) files. these files can …”
T1204User Execution
60%
“dissecting sapphire sleet ’ s macos intrusion from lure to compromise executive summary microsoft threat intelligence uncovered a macos ‑ focused cyber campaign by the north korean threat actor sapphire sleet that relies on social engineering rather than software vulnerabilities.…”
T1583.001Domains
60%
“ago ( 30d ) | where initiatingprocessfilename = = " script editor " or initiatingprocesscommandline has " script editor " | where filename has _ any ( " curl ", " osascript ", " sh ", " bash ", " zsh " ) | project timestamp, deviceid, devicename, filename, processcommandline, ini…”
T1543.004Launch Daemon
60%
“grant appleevents permissions to osascript without user consent — a prerequisite for the large - scale data exfiltration phase. look for processes copying, modifying, or overwriting ~ / library / application support / com. apple. tcc / tcc. db. audit launchdaemon and launchagent …”
T1059.001PowerShell
56%
“. apple. cli : the host monitoring component repeatedly executes a series of system commands to collect environment and runtime information, including the macos version ( sw _ vers ), the current system time ( date - u ), and the underlying hardware model ( sysctl hw. model ). it…”
T1217Browser Information Discovery
55%
“hardware fingerprinting, and confirmation of the target system ’ s characteristics. this reconnaissance data is later uploaded to track progress and correlate subsequent exfiltration stages to a specific device. installed applications and runtime verification : the script enumera…”
T1566.001Spearphishing Attachment
51%
“##events, devicefileevents, deviceimageloadevents, deviceprocessevents, devicenetworkevents, securityevent, threatintelligenceindicator ) timegenerated between ( ( selectedtimestamp - 1m ).. ( selectedtimestamp + 90d ) ) and ( sha256 in ( filesha256 ) or initiatingprocesssha256 i…”
T1059.002AppleScript
50%
“observed for this threat actor, including how sapphire sleet orchestrates these techniques together and uses applescript as a dedicated, late ‑ stage credential ‑ harvesting component integrated with decoy update workflows. after discovering the threat, microsoft shared details o…”
T1547.015Login Items
50%
“softwareupdate. app does not attempt to collect credentials. instead, it displays a convincing “ system update complete ” dialog to the user, signaling that the supposed zoom sdk update has finished successfully. this final step closes the social engineering loop : the user initi…”
T1059.002AppleScript
50%
“where filename = = " osascript " or initiatingprocessfilename = = " osascript " | where processcommandline has " curl " and processcommandline has _ any ( " osascript ", " | sh ", " | bash " ) | project timestamp, deviceid, devicename, accountname, processcommandline, initiatingp…”
T1547.015Login Items
47%
“grant appleevents permissions to osascript without user consent — a prerequisite for the large - scale data exfiltration phase. look for processes copying, modifying, or overwriting ~ / library / application support / com. apple. tcc / tcc. db. audit launchdaemon and launchagent …”
T1204.002Malicious File
45%
“##date. app after performing reconnaissance, the mac - cur1 orchestrator begins parallel operations. during the mac ‑ cur2 stage of execution ( independent from the mac - cur1 stage ), sapphire sleet delivers an applescript payload that is executed through osascript. this stage i…”
T1059.002AppleScript
45%
“executed. execution and payload delivery cascading curl - to - osascript execution when the user opens the zoom sdk update. scpt file, macos launches the file in script editor, allowing sapphire sleet to transition from a single lure file to a multi - stage, dynamically fetched p…”
T1204.002Malicious File
44%
“executed. execution and payload delivery cascading curl - to - osascript execution when the user opens the zoom sdk update. scpt file, macos launches the file in script editor, allowing sapphire sleet to transition from a single lure file to a multi - stage, dynamically fetched p…”
T1048Exfiltration Over Alternative Protocol
43%
“staging files are deleted to reduce forensic traces. collection and exfiltration with tcc bypassed, credentials stolen, and backdoors deployed, sapphire sleet launches the next phase of attack : a 575 - line applescript payload that systematically collects, stages, compresses, an…”
T1059.004Unix Shell
42%
“. apple. cli : the host monitoring component repeatedly executes a series of system commands to collect environment and runtime information, including the macos version ( sw _ vers ), the current system time ( date - u ), and the underlying hardware model ( sysctl hw. model ). it…”
T1204.002Malicious File
40%
“##pt file is crafted to appear as a legitimate zoom sdk update when opened in the macos script editor app, beginning with a large decoy comment block that mimics benign upgrade instructions and gives the impression of a routine software update. to conceal its true behavior, the s…”
T1027.007Dynamic API Resolution
36%
“campaign across file events. let malicious _ hashes = dynamic ( [ " 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419 ", " 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 ", " 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 ", " 5e…”
T1204.002Malicious File
36%
“##e / 117842 / https : / / x. com / malwrhunterteam / status / 2008831892616081508 https : / / x. com / patrickwardle / status / 2009008936771543341? s = 46 learn more for the latest security research from the microsoft threat intelligence community, check out the microsoft threa…”
T1074.001Local Data Staging
35%
“##4d0b369abd31c1a30962656133caa8153e8d63 ", " 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c ", " a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640 " ] ) ; devicefileevents | where timestamp > ago ( 30d ) | where sha256 in ( malicious _ hashes ) |…”
T1583.001Domains
33%
“( indexof ( compromisedentity, '. ' ) ) | extend hostnamedomain = iff ( domainindex! = - 1, substring ( compromisedentity, domainindex + 1 ), compromisedentity ) | project - away domainindex | project timegenerated, displayname, threatname, threatfamilyname, publicip, alertseveri…”
T1027.002Software Packing
33%
“campaign across file events. let malicious _ hashes = dynamic ( [ " 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419 ", " 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 ", " 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 ", " 5e…”
T1543Create or Modify System Process
33%
“filerenamed " ) | project timestamp, deviceid, devicename, actiontype, folderpath, initiatingprocessfilename, initiatingprocesscommandline suspicious launchdaemon creation masquerading as legitimate services search for launchdaemon plist files created in / library / launchdaemons…”
T1204User Execution
32%
“observed for this threat actor, including how sapphire sleet orchestrates these techniques together and uses applescript as a dedicated, late ‑ stage credential ‑ harvesting component integrated with decoy update workflows. after discovering the threat, microsoft shared details o…”
T1598.004Spearphishing Voice
32%
“##e / 117842 / https : / / x. com / malwrhunterteam / status / 2008831892616081508 https : / / x. com / patrickwardle / status / 2009008936771543341? s = 46 learn more for the latest security research from the microsoft threat intelligence community, check out the microsoft threa…”
T1059.002AppleScript
31%
“##aries downloaded from the internet. where feasible, enforce policies that prevent osascript from executing scripts sourced from external locations. always inspect and verify files downloaded from external sources, including compiled applescript (. scpt ) files. these files can …”
T1059.002AppleScript
31%
“it establishes outbound communication with threat actor ‑ controlled infrastructure, connecting to the domain check02id [. ] com over port 5202. the process then enters a precise 60 ‑ second beaconing loop. during each cycle, it executes minimal commands such as whoami to confirm…”
T1195.002Compromise Software Supply Chain
30%
“##date. app after performing reconnaissance, the mac - cur1 orchestrator begins parallel operations. during the mac ‑ cur2 stage of execution ( independent from the mac - cur1 stage ), sapphire sleet delivers an applescript payload that is executed through osascript. this stage i…”
T1543Create or Modify System Process
30%
“##dz deploys an additional ( tertiary ) backdoor, com. google. chromes. updaters, to disk at ~ / library / google / com. google. chromes. updaters. the selected directory and file name closely resemble legitimate google application data, helping the file blend into the user ’ s h…”

Summary

The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data.

The post Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise appeared first on Microsoft Security Blog.