{“lastseen”:”2026-04-16T16:57:59″,”description”:”In this article\\n\\n 1. Sapphire Sleet\u2019s campaign lifecycle\\n 2. Defending against Sapphire Sleet intrusion activity\\n 3. Microsoft Defender detection and hunting guidance\\n 4. Indicators of compromise\\n\\n\\n\\n**Executive summary**\\n\\nMicrosoft Threat Intelligence uncovered a macOS\u2011focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built\u2011in macOS security checks. This activity highlights how convincing user prompts and trusted system tools can be abused, and why awareness and layered security defenses remain critical.\\n\\n* * *\\n\\nMicrosoft Threat Intelligence identified a campaign by North Korean state actor Sapphire Sleet demonstrating new combinations of macOS-focused execution patterns and techniques, enabling the threat actor to compromise systems through social engineering rather than software exploitation. In this campaign, Sapphire Sleet takes advantage of user\u2011initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries. While the techniques themselves are not novel, this analysis highlights execution patterns and combinations that Microsoft has not previously observed for this threat actor, including how Sapphire Sleet orchestrates these techniques together and uses AppleScript as a dedicated, late\u2011stage credential\u2011harvesting component integrated with decoy update workflows.\\n\\nAfter discovering the threat, Microsoft shared details of this activity with Apple as part of our responsible disclosure process. Apple has since implemented updates to help detect and block infrastructure and malware associated with this campaign. We thank the Apple security team for their collaboration in addressing this activity and encourage macOS users to keep their devices up to date with the latest security protections.\\n\\nThis activity demonstrates how threat actors continue to rely on user interaction and trusted system utilities to bypass macOS platform security protections, rather than exploiting traditional software vulnerabilities. By persuading users to manually execute AppleScript or Terminal\u2011based commands, Sapphire Sleet shifts execution into a user\u2011initiated context, allowing the activity to proceed outside of macOS protections such as Transparency, Consent, and Control (TCC), Gatekeeper, quarantine enforcement, and notarization checks. Sapphire Sleet achieves a highly reliable infection chain that lowers operational friction and increases the likelihood of successful compromise\u2014posing an elevated risk to organizations and individuals involved in cryptocurrency, digital assets, finance, and similar high\u2011value targets that Sapphire Sleet is known to target.\\n\\nIn this blog, we examine the macOS\u2011specific attack chain observed in recent Sapphire Sleet intrusions, from initial access using malicious _.scpt_ files through multi-stage payload delivery, credential harvesting using fake system dialogs, manipulation of the macOS TCC database, persistence using launch daemons, and large-scale data exfiltration. We also provide actionable guidance, Microsoft Defender detections, hunting queries, and indicators of compromise (IOCs) to help defenders identify similar threats and strengthen macOS security posture.\\n\\n## Sapphire Sleet\u2019s campaign lifecycle\\n\\n### Initial access and social engineering\\n\\nSapphire Sleet is a North Korean state actor active since at least March 2020 that primarily targets the finance sector, including cryptocurrency, venture capital, and blockchain organizations. The primary motivation of this actor is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms.\\n\\n## Sapphire Sleet \\n\\nMitigating the Axios npm supply chain compromise \u203a\\n\\nRecent campaigns demonstrate expanded execution mechanisms across operating systems like macOS, enabling Sapphire Sleet to target a broader set of users through parallel social engineering workflows.\\n\\nSapphire Sleet operates a well\u2011documented social engineering playbook in which the threat actor creates fake recruiter profiles on social media and professional networking platforms, engages targets in conversations about job opportunities, schedules a technical interview, and directs targets to install malicious software, which is typically disguised as a video conferencing tool or software developer kit (SDK) update.\\n\\nIn this observed activity, the target was directed to download a file called _Zoom SDK Update.scpt_ \u2014a compiled AppleScript that opens in macOS Script Editor by default. Script Editor is a trusted first-party Apple application capable of executing arbitrary shell commands using the _do shell script_ AppleScript command.\\n\\n**Lure file and Script Editor execution**\\n\\n_Figure 1. Initial access: The .scpt lure file as seen in macOS Script Editor_\\n\\nThe malicious _Zoom SDK Update.scpt_ file is crafted to appear as a legitimate Zoom SDK update when opened in the macOS Script Editor app, beginning with a large decoy comment block that mimics benign upgrade instructions and gives the impression of a routine software update. To conceal its true behavior, the script inserts thousands of blank lines immediately after this visible content, pushing the malicious logic far below the scrollable view of the Script Editor window and reducing the likelihood that a user will notice it.\\n\\nHidden beneath this decoy, the script first launches a harmless looking command that invokes the legitimate macOS _softwareupdate_ binary with an invalid parameter, an action that performs no real update but launches a trusted Apple\u2011signed process to reinforce the appearance of legitimacy. Following this, the script executes its malicious payload by using _curl_ to retrieve threat actor\u2011controlled content and immediately passes the returned data to osascript for execution using the _run script_ result instruction. Because the content fetched by _curl_ is itself a new AppleScript, it is launched directly within the Script Editor context, initiating a payload delivery in which additional stages are dynamically downloaded and executed.\\n\\n_Figure 2. The AppleScript lure with decoy content and payload execution_\\n\\n### Execution and payload delivery\\n\\n**Cascading curl-to-osascript execution**\\n\\nWhen the user opens the _Zoom SDK Update.scpt_ file, macOS launches the file in Script Editor, allowing Sapphire Sleet to transition from a single lure file to a multi-stage, dynamically fetched payload chain. From this single process, the entire attack unfolds through a cascading chain of _curl_ commands, each fetching and executing progressively more complex AppleScript payloads. Each stage uses a distinct user-agent string as a campaign tracking identifier.\\n\\n_Figure 3. Process tree showing cascading execution from Script Editor_\\n\\nThe main payload fetched by the mac-cur1 user agent is the attack orchestrator. Once executed within the Script Editor, it performs immediate reconnaissance, then kicks off parallel operations using additional _curl_ commands with different user-agent strings.\\n\\nNote the URL path difference: mac-cur1 through mac-cur3 fetch from _\/version\/_ (AppleScript payloads piped directly to osascript for execution), while mac-cur4 and mac-cur5 fetch from _\/status\/_ (ZIP archives containing compiled macOS ._app_ bundles).\\n\\nThe following table summarizes the _curl_ chain used in this campaign.\\n\\n**User agent**| **URL path**| **Purpose** \\n—|—|— \\nmac-cur1| _\/fix\/mac\/update\/version\/_| Main orchestrator (piped to osascript) beacon. Downloads _com.apple.cli_ host monitoringcomponent and services backdoor \\nmac-cur2| _\/fix\/mac\/update\/version\/_| Invokes _curl_ with mac-cur4 which downloads credential harvester _systemupdate.app_ \\nmac-cur3| _\/fix\/mac\/update\/version\/_| TCC bypass + data collection + exfiltration (wallets, browser, keychains, history, Apple Notes, Telegram) \\nmac-cur4| _\/fix\/mac\/update\/status\/_| Downloads credential harvester _systemupdate.app_ (ZIP) \\nmac-cur5| _\/fix\/mac\/update\/status\/_| Downloads decoy completion prompt _softwareupdate.app_(ZIP) \\n_Figure 4. The curl chain showing user-agent strings and payload routing_\\n\\n### Reconnaissance and C2 registration\\n\\nAfter execution, the malware next identifies and registers the compromised device with Sapphire Sleet infrastructure. The malware starts by collecting basic system details such as the current user, host name, system time, and operating system install date. This information is used to uniquely identify the compromised device and track subsequent activity.\\n\\nThe malware then registers the compromised system with its command\u2011and\u2011control (C2) infrastructure. The _mid_ value represents the device\u2019s universally unique identifier (UUID), the _did_ serves as a campaign\u2011level tracking identifier, and the _user_ field combines the system host name with the device serial number to uniquely label the targeted user.\\n\\n_Figure 5. C2 registration with device UUID and campaign identifier_\\n\\n**Host monitoring component: com.apple.cli**\\n\\nThe first binary deployed is a host monitoring component called _com.apple.cli_ \u2014a ~5 MB Mach-O binary disguised with an Apple-style naming convention.\\n\\nThe mac-cur1 payload spawns an osascript that downloads and launches _com.apple.cli_ :\\n\\n_Figure 6. com.apple.cli deployment using osascript_\\n\\nThe host monitoring component repeatedly executes a series of system commands to collect environment and runtime information, including the macOS version (_sw_vers_), the current system time (_date -u_), and the underlying hardware model (_sysctl hw.model_). It then runs _ps aux_ in a tight loop to capture a full, real\u2011time list of running processes.\\n\\nDuring execution, _com.apple.cli_ performs host reconnaissance while maintaining repeated outbound connectivity to the threat actor\u2011controlled C2 endpoint 83.136.208[.]246:6783. The observed sequencing of reconnaissance activity and network communication is consistent with staging for later operational activity, including privilege escalation, and exfiltration.\\n\\nIn parallel with deploying _com.apple.cli_ , the mac-cur1 orchestrator also deploys a second component, the services backdoor, as part of the same execution flow; its role in persistence and follow\u2011on activity is described later in this blog.\\n\\n### Credential access\\n\\n**Credential harvester: systemupdate.app**\\n\\nAfter performing reconnaissance, the mac-cur1 orchestrator begins parallel operations. During the mac\u2011cur2 stage of execution (independent from the mac-cur1 stage), Sapphire Sleet delivers an AppleScript payload that is executed through osascript. This stage is responsible for deploying the credential harvesting component of the attack.\\n\\nBefore proceeding, the script checks for the presence of a file named _.zoom.log_ on the system. This file acts as an infection marker, allowing Sapphire Sleet to determine whether the device has already been compromised. If the marker exists, deployment is skipped to avoid redundant execution across sessions.\\n\\nIf the infection marker is not found, the script downloads a compressed archive through the mac-cur4 user agent that contains a malicious macOS application named (_systemupdate.app_), which masquerades as the legitimate system update utility by the same name. The archive is extracted to a temporary location, and the application is launched immediately.\\n\\nWhen _systemupdate.app_ launches, the user is presented with a native macOS password dialog that is visually indistinguishable from a legitimate system prompt. The dialog claims that the user\u2019s password is required to complete a software update, prompting the user to enter their credentials.\\n\\nAfter the user enters their password, the malware performs two sequential actions to ensure the credential is usable and immediately captured. First, the binary validates the entered password against the local macOS authentication database using directory services, confirming that the credential is correct and not mistyped. Once validation succeeds, the verified password is immediately exfiltrated to threat actor\u2011controlled infrastructure using the Telegram Bot API, delivering the stolen credential directly to Sapphire Sleet.\\n\\n_Figure 7. Password popup given by fake systemupdate.app_\\n\\n**Decoy completion prompt: softwareupdate.app**\\n\\nAfter credential harvesting is completed using _systemupdate.app_ , Sapphire Sleet deploys a second malicious application named _softwareupdate.app_ , whose sole purpose is to reinforce the illusion of a legitimate update workflow. This application is delivered during a later stage of the attack using the mac\u2011cur5 user\u2011agent. Unlike _systemupdate.app_ , _softwareupdate.app_ does not attempt to collect credentials. Instead, it displays a convincing \u201csystem update complete\u201d dialog to the user, signaling that the supposed Zoom SDK update has finished successfully. This final step closes the social engineering loop: the user initiated a Zoom\u2011themed update, was prompted to enter their password, and is now reassured that the process completed as expected, reducing the likelihood of suspicion or further investigation.\\n\\n### Persistence\\n\\n**Primary backdoor and persistence installer: services binary**** __**\\n\\nThe services backdoor is a key operational component in this attack, acting as the primary backdoor and persistence installer. It provides an interactive command execution channel, establishes persistence using a launch daemon, and deploys two additional backdoors. The services backdoor is deployed through a dedicated AppleScript executed as part of the initial mac\u2011cur1 payload that also deployed _com.apple.cli_ , although the additional backdoors deployed by services are executed at a later stage.\\n\\nDuring deployment, the services backdoor binary is first downloaded using a hidden file name (._services_) to reduce visibility, then copied to its final location before the temporary file is removed. As part of installation, the malware creates a file named _auth.db_ under _~\/Library\/Application Support\/Authorization\/_ , which stores the path to the deployed services backdoor and serves as a persistent installation marker. Any execution or runtime errors encountered during this process are written to _\/tmp\/lg4err_ , leaving behind an additional forensic artifact that can aid post\u2011compromise investigation.\\n\\n_Figure 8. Services backdoor deployment using osascript_\\n\\nUnlike _com.apple.cli_ , the services backdoor uses interactive zsh shells (_\/bin\/zsh -i_) to execute privileged operations. The _-i_ flag creates an interactive terminal context, which is required for sudo commands that expect interactive input.~~~~\\n\\n_Figure 9. Interactive zsh shell execution by the services backdoor_\\n\\n**Additional backdoors: icloudz and com.google.chromes.updaters**\\n\\nOf the additional backdoors deployed by services, the icloudz backdoor is a renamed copy of the previously deployed services backdoor and shares the same SHA\u2011256 hash, indicating identical underlying code. Despite this, it is executed using a different and more evasive technique. Although icloudz shares the same binary as ._services_ , it operates as a reflective code loader\u2014it uses the macOS _NSCreateObjectFileImageFromMemory_ API to load additional payloads received from its C2 infrastructure directly into memory, rather than writing them to disk and executing them conventionally.\\n\\nThe icloudz backdoor is stored at _~\/Library\/Application Support\/iCloud\/icloudz_ , a location and naming choice intended to resemble legitimate iCloud\u2011related artifacts. Once loaded into memory, two distinct execution waves are observed. Each wave independently initializes a consistent sequence of system commands: existing caffeinate processes are stopped, caffeinate is relaunched using _nohup_ to prevent the system from sleeping, basic system information is collected using _sw_vers_ and _sysctl -n hw.model_ , and an interactive _\/bin\/zsh -i_ shell is spawned. This repeated initialization suggests that the component is designed to re\u2011establish execution context reliably across runs.\\n\\nFrom within the interactive zsh shell, icloudz deploys an additional (tertiary) backdoor, _com.google.chromes.updaters_ , to disk at _~\/Library\/Google\/com.google.chromes.updaters_. The selected directory and file name closely resemble legitimate Google application data, helping the file blend into the user\u2019s _Home_ directory and reducing the likelihood of casual inspection. File permissions are adjusted; ownership is set to allow execution with elevated privileges, and the _com.google.chromes.updaters_ binary is launched using sudo.\\n\\nTo ensure continued execution across reboots, a launch daemon configuration file named _com.google.webkit.service.plist_ is installed under _\/Library\/LaunchDaemons_. This configuration causes icloudz to launch automatically at system startup, even if no user is signed in. The naming convention deliberately mimics legitimate Apple and Google system services, further reducing the chance of detection.\\n\\nThe _com.google.chromes.updaters_ backdoor is the final and largest component deployed in this attack chain, with a size of approximately 7.2 MB. Once running, it establishes outbound communication with threat actor\u2011controlled infrastructure, connecting to the domain _check02id[.]com_ over port 5202. The process then enters a precise 60\u2011second beaconing loop. During each cycle, it executes minimal commands such as _whoami_ to confirm the execution context and _sw_vers -productVersion_ to report the operating system version. This lightweight heartbeat confirms the process remains active, is running with elevated privileges, and is ready to receive further instructions.\\n\\n### Privilege escalation\\n\\n**TCC bypass: Granting AppleEvents permissions**\\n\\nBefore large\u2011scale data access and exfiltration can proceed, Sapphire Sleet must bypass macOS TCC protections. TCC enforces user consent for sensitive inter\u2011process interactions, including AppleEvents, the mechanism required for osascript to communicate with Finder and perform file-level operations. The mac-cur3 stage silently grants itself these permissions by directly manipulating the user-level TCC database through the following sequence.\\n\\nThe user-level TCC database (_~\/Library\/Application Support\/com.apple.TCC\/TCC.db_) is itself TCC-protected\u2014processes without Full Disk Access (FDA) cannot read or modify it. Sapphire Sleet circumvents this by directing Finder, which holds FDA by default on macOS, to rename the _com.apple.TCC_ folder. Once renamed, the TCC database file can be copied to a staging location by a process without FDA.\\n\\nSapphire Sleet then uses sqlite3 to inject a new entry into the database’s access table. This entry grants _\/usr\/bin\/osascript_ permission to send AppleEvents to _com.apple.finder_ and includes valid code-signing requirement (_csreq_) blobs for both binaries, binding the grant to Apple-signed executables. The authorization value is set to allowed (_auth_value=2_) with a user-set reason (_auth_reason=3_), ensuring no user prompt is triggered. The modified database is then copied back into the renamed folder, and Finder restores the folder to its original name. Staging files are deleted to reduce forensic traces.\\n\\n_Figure 10. Overwriting original TCC database with modified version_\\n\\n### Collection and exfiltration\\n\\nWith TCC bypassed, credentials stolen, and backdoors deployed, Sapphire Sleet launches the next phase of attack: a 575-line AppleScript payload that systematically collects, stages, compresses, and exfiltrates seven categories of data.\\n\\n**Exfiltration architecture**\\n\\nEvery upload follows a consistent pattern and is executed using _nohup_ , which allows the command to continue running in the background even if the initiating process or Terminal session exits. This ensures that data exfiltration can complete reliably without requiring the threat actor to maintain an active session on the system.\\n\\nThe _auth_ header provides the upload authorization token, and the _mid_ header ties the upload to the compromised device’s UUID.\\n\\n_Figure 11. Exfiltration upload pattern with nohup_\\n\\n**Data collected during exfiltration**\\n\\n * **Host and system reconnaissance:** Before bulk data collection begins, the script records basic system identity and hardware information. This includes the current username, system host name, macOS version, and CPU model. These values are appended to a per\u2011host log file and provide Sapphire Sleet with environmental context, hardware fingerprinting, and confirmation of the target system\u2019s characteristics. This reconnaissance data is later uploaded to track progress and correlate subsequent exfiltration stages to a specific device.\\n * **Installed applications and runtime verification:** The script enumerates installed applications and shared directories to build an inventory of the system\u2019s software environment. It also captures a live process listing filtered for threat actor\u2011deployed components, allowing Sapphire Sleet to verify that earlier payloads are still running as expected. These checks help confirm successful execution and persistence before proceeding further.\\n * **Messaging session data (Telegram):** Telegram Desktop session data is collected by copying the application\u2019s data directories, including cryptographic key material and session mapping files. These artifacts are sufficient to recreate the user\u2019s Telegram session on another system without requiring reauthentication. A second collection pass targets the Telegram App Group container to capture the complete local data set associated with the application.\\n * **Browser data and extension storage:** For Chromium\u2011based browsers, including Chrome, Brave, and Arc, the script copies browser profiles and associated databases. This includes saved credentials, cookies, autofill data, browsing history, bookmarks, and extension\u2011specific storage. Particular focus is placed on IndexedDB entries associated with cryptocurrency wallet extensions, where wallet keys and transaction data are stored. Only IndexedDB entries matching a targeted set of wallet extension identifiers are collected, reflecting a deliberate and selective approach.\\n * **macOS keychain:** The user\u2019s sign-in keychain database is bundled alongside browser data. Although the keychain is encrypted, Sapphire Sleet has already captured the user\u2019s password earlier in the attack chain, enabling offline decryption of stored secrets once exfiltrated.\\n * **Cryptocurrency desktop wallets:** The script copies the full application support directories for popular cryptocurrency desktop wallets, including Ledger Live and Exodus. These directories contain wallet configuration files and key material required to access stored cryptocurrency assets, making them high\u2011value targets for exfiltration.\\n * **SSH keys and shell history:** SSH key directories and shell history files are collected to enable potential lateral movement and intelligence gathering. SSH keys may provide access to additional systems, while shell history can reveal infrastructure details, previously accessed hosts, and operational habits of the targeted user.\\n * **Apple Notes:** The Apple Notes database is copied from its application container and staged for upload. Notes frequently contain sensitive information such as passwords, internal documentation, infrastructure details, or meeting notes, making them a valuable secondary data source.\\n * **System logs and failed access attempts:** System log files are uploaded directly without compression. These logs provide additional hardware and execution context and include progress markers that indicate which exfiltration stages have completed. Failed collection attempts\u2014such as access to password manager containers that are not present on the system\u2014are also recorded and uploaded, allowing Sapphire Sleet to understand which targets were unavailable on the compromised host.\\n\\n\\n\\n**Exfiltration summary**\\n\\n**#**| **Data category**| **ZIP name**| **Upload port**| **Estimated sensitivity** \\n—|—|—|—|— \\n1| Telegram session| _tapp_ \\u003cuser\\u003e.zip_| 8443| Critical \u2014 session hijack \\n2| Browser data + Keychain| _ext_ \\u003cuser\\u003e.zip_| 8443| Critical \u2014 all passwords \\n3| Ledger wallet| _ldg_ \\u003cuser\\u003e.zip_| 8443| Critical \u2014 crypto keys \\n4| Exodus wallet| _exds_ \\u003cuser\\u003e.zip_| 8443| Critical \u2014 crypto keys \\n5| SSH + shell history| _hs_ \\u003cuser\\u003e.zip_| 8443| High \u2014 lateral movement \\n6| Apple Notes| _nt_ \\u003cuser\\u003e.zip_| 8443| Medium-High \\n7| System log| _lg_ \\u003cuser\\u003e_ (no zip)| 8443| Low \u2014 fingerprinting \\n8| Recon log| _flog_ (no zip)| 8443| Low \u2014 inventory \\n9| Credentials| Telegram message| 443 (Telegram API)| Critical \u2014 sign-in password \\n \\nAll uploads use the upload authorization token fwyan48umt1vimwqcqvhdd9u72a7qysi and the machine identifier 82cf5d92-87b5-4144-9a4e-6b58b714d599.\\n\\n## Defending against Sapphire Sleet intrusion activity\\n\\nAs part of a coordinated response to this activity, Apple has implemented platform-level protections to help detect and block infrastructure and malware associated with this campaign. Apple has deployed Apple Safe Browsing protections in Safari to detect and block malicious infrastructure associated with this campaign. Users browsing with Safari benefit from these protections by default. Apple has also deployed XProtect signatures to detect and block the malware families associated with this campaign\u2014macOS devices receive these signature updates automatically.\\n\\nMicrosoft recommends the following mitigation steps to defend against this activity and reduce the impact of this threat:\\n\\n * Educate users about social engineering threats originating from social media and external platforms, particularly unsolicited outreach requesting software downloads, virtual meeting tool installations, or execution of terminal commands. Users should never run scripts or commands shared through messages, calls, or chats without prior approval from their IT or security teams.\\n * Block or restrict the execution of ._scpt_ (compiled AppleScript) files and unsigned Mach-O binaries downloaded from the internet. Where feasible, enforce policies that prevent osascript from executing scripts sourced from external locations.\\n * Always inspect and verify files downloaded from external sources, including compiled AppleScript (._scpt_) files. These files can execute arbitrary shell commands via macOS Script Editor\u2014a trusted first-party Apple application\u2014making them an effective and stealthy initial access vector.\\n * Limit or audit the use of _curl_ piped to interpreters (such as _curl_ | _osascript, curl_ | _sh, curl_ | _bash_). Social engineering campaigns by Sapphire Sleet rely on cascading curl-to-interpreter chains to avoid writing payloads to disk. Organizations should monitor for and restrict piped execution patterns originating from non-standard user-agent strings.\\n * Exercise caution when copying and pasting sensitive data such as wallet addresses or credentials from the clipboard. Always verify that the pasted content matches the intended source to avoid falling victim to clipboard hijacking or data tampering attacks.\\n * Monitor for unauthorized modifications to the macOS TCC database. This campaign manipulates _TCC.db_ to grant AppleEvents permissions to osascript without user consent\u2014a prerequisite for the large-scale data exfiltration phase. Look for processes copying, modifying, or overwriting _~\/Library\/Application Support\/com.apple.TCC\/TCC.db_.\\n * Audit _LaunchDaemon_ and _LaunchAgent_ installations. This campaign installs a persistent launch daemon (_com.google.webkit.service.plist_) that masquerades as a legitimate Google or Apple service. Monitor _\/Library\/LaunchDaemons\/_ and _~\/Library\/LaunchAgents\/_ for unexpected plist files, particularly those with _com.google.*_ or _com.apple.*_ naming conventions not belonging to genuine vendor software.\\n * Protect cryptocurrency wallets and browser credential stores. This campaign targets nine specific crypto wallet extensions (Sui, Phantom, TronLink, Coinbase, OKX, Solflare, Rabby, Backpack) plus Bitwarden, and exfiltrates browser sign-in data, cookies, and keychain databases. Organizations handling digital assets should enforce hardware wallet policies and rotate browser-stored credentials regularly.\\n * Encourage users to use web browsers that support Microsoft Defender SmartScreen like Microsoft Edge\u2014available on macOS and various platforms\u2014which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.\\n\\n\\n\\nMicrosoft Defender for Endpoint customers can also apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:\\n\\n * Use Microsoft Defender for Endpoint on Mac, which detects, stops, and quarantines the malware discussed in this blog.\\n * Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\\n * Enable potentially unwanted application (PUA) protection in block mode to automatically quarantine PUAs like adware. PUA blocking takes effect on endpoint clients after the next signature update or computer restart.\\n * Turn on network protection to block connections to malicious domains and IP addresses.\\n\\n\\n\\n## Microsoft Defender detection and hunting guidance\\n\\nMicrosoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\n**Tactic** | **Observed activity** | **Microsoft Defender coverage** \\n—|—|— \\nInitial access| \u2013 Malicious ._scpt_ file execution (Zoom SDK Update lure)| **Microsoft Defender Antivirus** \\n\u2013 Trojan:MacOS\/SuspMalScript.C \\n\u2013 Trojan:MacOS\/FlowOffset.A!dha \\n \\n**Microsoft Defender for Endpoint** \\n\u2013 Sapphire Sleet actor activity \\n\u2013 Suspicious file or content ingress \\nExecution| \u2013 Malicious osascript execution \\n\u2013 Cascading curl-to-osascript chains \\n\u2013 Malicious binary execution| **Microsoft Defender Antivirus** \\n\u2013 Trojan:MacOS\/SuspMalScript.C \\n\u2013 Trojan:MacOS\/SuspInfostealExec.C \\n\u2013 Trojan:MacOS\/NukeSped.D \\n \\n**Microsoft Defender for Endpoint** \\n\u2013 Suspicious file dropped and launched \\n\u2013 Suspicious script launched \\n\u2013 Suspicious AppleScript activity \\n\u2013 Sapphire Sleet actor activity \\n\u2013 Hidden file executed \\nPersistence| \u2013 LaunchDaemon installation (_com.google.webkit.service.plist_)| **Microsoft Defender for Endpoint** \\n\u2013 Suspicious Plist modifications \\n\u2013 Suspicious launchctl tool activity \\nDefense evasion| \u2013 TCC database manipulation \\n\u2013 Reflective code loading (_NSCreateObjectFileImageFromMemory_)| **Microsoft Defender for Endpoint** \\n\u2013 Potential Transparency, Consent and Control bypass \\n\u2013 Suspicious database access \\nCredential access| \u2013 Fake password dialog (_systemupdate.app_ , _softwareupdate.app_) \\n\u2013 Keychain exfiltration| **Microsoft Defender Antivirus** \\n\u2013 Trojan:MacOS\/PassStealer.D \\n\u2013 Trojan:MacOS\/FlowOffset.D!dha \\n\u2013 Trojan:MacOS\/FlowOffset.E!dha \\n \\n**Microsoft Defender for Endpoint** \\n\u2013 Suspicious file collection \\nCollection and exfiltration| \u2013 Browser data, crypto wallets, Telegram session, SSH keys, Apple Notes theft \\n\u2013 Credential exfiltration using Telegram Bot API| **Microsoft Defender Antivirus** \\n\u2013 Trojan:MacOS\/SuspInfostealExec.C \\n \\n**Microsoft Defender for Endpoint** \\n\u2013 Enumeration of files with sensitive data \\n\u2013 Suspicious File Copy Operations Using CoreUtil \\n\u2013 Suspicious archive creation \\n\u2013 Remote exfiltration activity \\n\u2013 Possible exfiltration of archived data \\nCommand and control| \u2013 Mach-O backdoors beaconing to C2 (_com.apple.cli,_ services, _com.google.chromes.updaters_)| **Microsoft Defender Antivirus** \\n\u2013 Trojan:MacOS\/NukeSped.D \\n\u2013 Backdoor:MacOS\/FlowOffset.B!dha \\n\u2013 Backdoor:MacOS\/FlowOffset.C!dha \\n \\n**Microsoft Defender for Endpoint** \\n\u2013 Sapphire Sleet actor activity \\n\u2013 Network connection by osascript \\n \\n### Microsoft Security Copilot\\n\\nMicrosoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.\\n\\nCustomers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:\\n\\n * Threat Intelligence Briefing agent\\n * Phishing Triage agent\\n * Threat Hunting agent\\n * Dynamic Threat Detection agent\\n\\n\\n\\nSecurity Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.\\n\\n### Threat intelligence reports\\n\\nMicrosoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.\\n\\n**Microsoft Defender XDR threat analytics**\\n\\n * Actor Profile: Sapphire Sleet\\n\\n\\n\\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.\\n\\n### Hunting queries\\n\\n#### Microsoft Defender XDR\\n\\nMicrosoft Defender XDR customers can run the following advanced hunting queries to find related activity in their networks:\\n\\n**Suspicious osascript execution with _curl_ piping******\\n\\nSearch for _curl_ commands piping output directly to osascript, a core technique in this Sapphire Sleet campaign\u2019s cascading payload delivery chain.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(30d)\\n | where FileName == \\”osascript\\” or InitiatingProcessFileName == \\”osascript\\”\\n | where ProcessCommandLine has \\”curl\\” and ProcessCommandLine has_any (\\”osascript\\”, \\”| sh\\”, \\”| bash\\”)\\n | project Timestamp, DeviceId, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName\\n \\n\\n**Suspicious _curl_ activity with campaign user-agent strings******\\n\\nSearch for _curl_ commands using user-agent strings matching the Sapphire Sleet campaign tracking identifiers (mac-cur1 through mac-cur5, audio, beacon).\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(30d)\\n | where FileName == \\”curl\\” or ProcessCommandLine has \\”curl\\”\\n | where ProcessCommandLine has_any (\\”mac-cur1\\”, \\”mac-cur2\\”, \\”mac-cur3\\”, \\”mac-cur4\\”, \\”mac-cur5\\”, \\”-A audio\\”, \\”-A beacon\\”)\\n | project Timestamp, DeviceId, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Detect connectivity with known C2 infrastructure**\\n\\nSearch for network connections to the Sapphire Sleet C2 domains and IP addresses used in this campaign.\\n \\n \\n let c2_domains = dynamic([\\”uw04webzoom.us\\”, \\”uw05webzoom.us\\”, \\”uw03webzoom.us\\”, \\”ur01webzoom.us\\”, \\”uv01webzoom.us\\”, \\”uv03webzoom.us\\”, \\”uv04webzoom.us\\”, \\”ux06webzoom.us\\”, \\”check02id.com\\”]);\\n let c2_ips = dynamic([\\”188.227.196.252\\”, \\”83.136.208.246\\”, \\”83.136.209.22\\”, \\”83.136.208.48\\”, \\”83.136.210.180\\”, \\”104.145.210.107\\”]);\\n DeviceNetworkEvents\\n | where Timestamp \\u003e ago(30d)\\n | where RemoteUrl has_any (c2_domains) or RemoteIP in (c2_ips)\\n | project Timestamp, DeviceId, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**TCC database manipulation detection**\\n\\nSearch for processes that copy, modify, or overwrite the macOS TCC database, a key defense evasion technique used by this campaign to grant unauthorized AppleEvents permissions.\\n \\n \\n DeviceFileEvents\\n | where Timestamp \\u003e ago(30d)\\n | where FolderPath has \\”com.apple.TCC\\” and FileName == \\”TCC.db\\”\\n | where ActionType in (\\”FileCreated\\”, \\”FileModified\\”, \\”FileRenamed\\”)\\n | project Timestamp, DeviceId, DeviceName, ActionType, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Suspicious _LaunchDaemon_ creation masquerading as legitimate services**\\n\\nSearch for _LaunchDaemon_ plist files created in _\/Library\/LaunchDaemons_ that masquerade as Google or Apple services, matching the persistence technique used by the services\/icloudz backdoor.\\n \\n \\n DeviceFileEvents\\n | where Timestamp \\u003e ago(30d)\\n | where FolderPath startswith \\”\/Library\/LaunchDaemons\/\\”\\n | where FileName startswith \\”com.google.\\” or FileName startswith \\”com.apple.\\”\\n | where ActionType == \\”FileCreated\\”\\n | project Timestamp, DeviceId, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256\\n \\n\\n**Malicious binary execution from suspicious paths**\\n\\nSearch for execution of binaries from paths commonly used by Sapphire Sleet, including hidden _Library_ directories, _\/private\/tmp\/_ , and user-specific _Application Support_ folders.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(30d)\\n | where FolderPath has_any (\\n \\”Library\/Services\/services\\”,\\n \\”Application Support\/iCloud\/icloudz\\”,\\n \\”Library\/Google\/com.google.chromes.updaters\\”,\\n \\”\/private\/tmp\/SystemUpdate\/\\”,\\n \\”\/private\/tmp\/SoftwareUpdate\/\\”,\\n \\”com.apple.cli\\”\\n )\\n | project Timestamp, DeviceId, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, SHA256\\n \\n\\n**Credential harvesting using _dscl_ authentication check**\\n\\nSearch for _dscl -authonly_ commands used by the fake password dialog (_systemupdate.app_) to validate stolen credentials before exfiltration.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(30d)\\n | where FileName == \\”dscl\\” or ProcessCommandLine has \\”dscl\\”\\n | where ProcessCommandLine has \\”-authonly\\”\\n | project Timestamp, DeviceId, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Telegram Bot API exfiltration detection**\\n\\nSearch for network connections to Telegram Bot API endpoints, used by this campaign to exfiltrate stolen credentials.\\n \\n \\n DeviceNetworkEvents\\n | where Timestamp \\u003e ago(30d)\\n | where RemoteUrl has \\”api.telegram.org\\” and RemoteUrl has \\”\/bot\\”\\n | project Timestamp, DeviceId, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Reflective code loading using _NSCreateObjectFileImageFromMemory_**\\n\\nSearch for evidence of reflective Mach-O loading, the technique used by the icloudz backdoor to execute code in memory.\\n \\n \\n DeviceEvents\\n | where Timestamp \\u003e ago(30d)\\n | where ActionType has \\”NSCreateObjectFileImageFromMemory\\”\\n or AdditionalFields has \\”NSCreateObjectFileImageFromMemory\\”\\n | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessFileName, AdditionalFields\\n \\n\\n**Suspicious caffeinate and sleep prevention activity**\\n\\nSearch for caffeinate process stop-and-restart patterns used by the services and icloudz backdoors to prevent the system from sleeping during backdoor operations.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(30d)\\n | where ProcessCommandLine has \\”caffeinate\\”\\n | where InitiatingProcessCommandLine has_any (\\”icloudz\\”, \\”services\\”, \\”chromes.updaters\\”, \\”zsh -i\\”)\\n | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Detect known malicious file hashes**\\n\\nSearch for the specific malicious file hashes associated with this Sapphire Sleet campaign across file events.\\n \\n \\n let malicious_hashes = dynamic([\\n \\”2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419\\”,\\n \\”05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53\\”,\\n \\”5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7\\”,\\n \\”5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5\\”,\\n \\”95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63\\”,\\n \\”8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c\\”,\\n \\”a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640\\”\\n ]);\\n DeviceFileEvents\\n | where Timestamp \\u003e ago(30d)\\n | where SHA256 in (malicious_hashes)\\n | project Timestamp, DeviceId, DeviceName, FileName, FolderPath, SHA256, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Data staging and exfiltration activity**\\n\\nSearch for ZIP archive creation in _\/tmp\/_ directories followed by _curl_ uploads matching the staging-and-exfiltration pattern used for browser data, crypto wallets, Telegram sessions, SSH keys, and Apple Notes.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(30d)\\n | where (ProcessCommandLine has \\”zip\\” and ProcessCommandLine has \\”\/tmp\/\\”)\\n or (ProcessCommandLine has \\”curl\\” and ProcessCommandLine has_any (\\”tapp_\\”, \\”ext_\\”, \\”ldg_\\”, \\”exds_\\”, \\”hs_\\”, \\”nt_\\”, \\”lg_\\”))\\n | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Script Editor launching suspicious child processes**\\n\\nSearch for Script Editor (the default handler for ._scpt_ files) spawning _curl_ , osascript, or shell commands\u2014the initial execution vector in this campaign.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(30d)\\n | where InitiatingProcessFileName == \\”Script Editor\\” or InitiatingProcessCommandLine has \\”Script Editor\\”\\n | where FileName has_any (\\”curl\\”, \\”osascript\\”, \\”sh\\”, \\”bash\\”, \\”zsh\\”)\\n | project Timestamp, DeviceId, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n#### Microsoft Sentinel\\n\\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\\n\\n**Detect network indicators of compromise**\\n\\nThe following query checks for connections to the Sapphire Sleet C2 domains and IP addresses across network session data:\\n \\n \\n let lookback = 30d;\\n let ioc_domains = dynamic([\\”uw04webzoom.us\\”, \\”uw05webzoom.us\\”, \\”uw03webzoom.us\\”, \\”ur01webzoom.us\\”, \\”uv01webzoom.us\\”, \\”uv03webzoom.us\\”, \\”uv04webzoom.us\\”, \\”ux06webzoom.us\\”, \\”check02id.com\\”]);\\n let ioc_ips = dynamic([\\”188.227.196.252\\”, \\”83.136.208.246\\”, \\”83.136.209.22\\”, \\”83.136.208.48\\”, \\”83.136.210.180\\”, \\”104.145.210.107\\”]);\\n DeviceNetworkEvents\\n | where TimeGenerated \\u003e ago(lookback)\\n | where RemoteUrl has_any (ioc_domains) or RemoteIP in (ioc_ips)\\n | summarize EventCount=count() by DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName\\n \\n\\n**Detect file hash indicators of compromise**\\n\\nThe following query searches for the known malicious file hashes associated with this campaign across file, process, and security event data:\\n \\n \\n let selectedTimestamp = datetime(2026-01-01T00:00:00.0000000Z);\\n let FileSHA256 = dynamic([\\n \\”2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419\\”,\\n \\”05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53\\”,\\n \\”5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7\\”,\\n \\”5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5\\”,\\n \\”95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63\\”,\\n \\”8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c\\”,\\n \\”a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640\\”\\n ]);\\n search in (AlertEvidence, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents, DeviceNetworkEvents, SecurityEvent, ThreatIntelligenceIndicator)\\n TimeGenerated between ((selectedTimestamp – 1m) .. (selectedTimestamp + 90d))\\n and (SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256))\\n \\n\\n**Detect Microsoft Defender Antivirus detections related to Sapphire Sleet**\\n\\nThe following query searches for Defender Antivirus alerts for the specific malware families used in this campaign and joins with device information for enriched context:\\n \\n \\n let SapphireSleet_threats = dynamic([\\n \\”Trojan:MacOS\/NukeSped.D\\”,\\n \\”Trojan:MacOS\/PassStealer.D\\”,\\n \\”Trojan:MacOS\/SuspMalScript.C\\”,\\n \\”Trojan:MacOS\/SuspInfostealExec.C\\”\\n ]);\\n SecurityAlert\\n | where ProviderName == \\”MDATP\\”\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatName in~ (SapphireSleet_threats) or ThreatFamilyName in~ (SapphireSleet_threats)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n | join kind=inner (\\n DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n ) on $left.CompromisedEntity == $right.DeviceName\\n | summarize arg_max(TimeGenerated, *) by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, ProductName, Entities\\n | extend HostName = tostring(split(CompromisedEntity, \\”.\\”)[0]), DomainIndex = toint(indexof(CompromisedEntity, ‘.’))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n | project-away DomainIndex\\n | project TimeGenerated, DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, CompromisedEntity, ProductName, Entities, HostName, HostNameDomain\\n \\n\\n## Indicators of compromise\\n\\n**Malicious file hashes**\\n\\n**File**| **SHA-256** \\n—|— \\n _\/Users\/ \\u003cuser\\u003e\/Downloads\/Zoom SDK Update.scpt_| 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419 \\n _\/Users\/ \\u003cuser\\u003e\/com.apple.cli_| 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 \\n _\/Users\/ \\u003cuser\\u003e\/Library\/Services\/services_ \\n _ services \/ icloudz_| 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 \\n _com.google.chromes.updaters_| 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5 \\n _com.google.webkit.service.plist_| 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63 \\n _\/private\/tmp\/SystemUpdate\/systemupdate.app\/Contents\/MacOS\/Mac Password Popup_| 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c \\n _\/private\/tmp\/SoftwareUpdate\/softwareupdate.app\/Contents\/MacOS\/Mac Password Popup_| a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640 \\n \\n**Domains and IP addresses**\\n\\n**Domain**| **IP address**| **Port**| **Purpose** \\n—|—|—|— \\n _uw04webzoom[.]us_| 188.227.196[.]252| 443| Payload staging \\n _check02id[.]com_| 83.136.210[.]180| 5202| _chromes.updaters_ \\n | 83.136.208[.]246| 6783| _com.apple.cli_ invocated with IP and port \\n and beacon \\n | 83.136.209[.]22| 8444| Downloadsservices backdoor \\n** **| 83.136.208[.]48| 443| services invoked with IP and port \\n | 104.145.210[.]107| 6783| Exfiltration \\n \\n### Acknowledgments\\n\\nExisting blogs with similar behavior tracked:\\n\\n * https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc1069-targets-cryptocurrency-ai-social-engineering\\n * https:\/\/www.huntress.com\/blog\/inside-bluenoroff-web3-intrusion-analysis\\n * https:\/\/securelist.com\/bluenoroff-apt-campaigns-ghostcall-and-ghosthie\/117842\/\\n * https:\/\/x.com\/malwrhunterteam\/status\/2008831892616081508\\n * https:\/\/x.com\/patrickwardle\/status\/2009008936771543341?s=46\\n\\n\\n\\n### Learn more\\n\\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n\\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n\\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\nThe post Dissecting Sapphire Sleet\u2019s macOS intrusion from lure to compromise appeared first on Microsoft Security Blog.”,”published”:”2026-04-16T15:00:00″,”modified”:”2026-04-16T15:00:00″,”type”:”mssecure”,”title”:”Dissecting Sapphire Sleet\u2019s macOS intrusion from lure to compromise”,”source”:””,”references”:””,”id”:”MSSECURE:75E1FC8647218AF87BE0A6DF2F74B4EB”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/16\/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-16T16:57:59″,”description”:”In this article\\n\\n 1. Sapphire Sleet\u2019s campaign lifecycle\\n 2. Defending against Sapphire Sleet intrusion activity\\n 3. Microsoft Defender detection and hunting guidance\\n 4. Indicators of…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-47489","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n