Microsoft Threat Intelligence has uncovered a macOS-targeted campaign by North Korean threat actor Sapphire Sleet using ClickFix-style social engineering. Attackers pose as recruiters on professional networks, lure targets into fake technical interviews, and trick them into running a malicious AppleScript disguised as a Zoom SDK update. The multi-stage payload chain harvests credentials, steals data from wallets, browsers, keychains, Apple Notes, and Telegram, installs backdoors, and bypasses Apple's TCC security framework by manipulating its database. Microsoft recommends user education, blocking unsigned binaries and .scpt files, and protecting credential stores. Apple has since deployed updates to detect and block the associated infrastructure.
Sort: