Overview of the Sapphire Sleet Campaign
The latest AlienVault threat report, published on 2026-05-29, highlights a sophisticated multi‑stage intrusion campaign carried out by the North Korean state‑sponsored group known as Sapphire Sleet. The operation is specifically engineered to target macOS environments within high‑value sectors such as venture capital, Web3 development, and cryptocurrency organizations. The attackers have demonstrated a deep understanding of macOS security mechanisms and have exploited legitimate system tools to bypass traditional defenses.
Attack Vectors and Initial Access
Initial access is achieved through a social engineering vector that masquerades as a Zoom SDK update. Victims are instructed to download and run a seemingly harmless update component. Once executed, the component establishes a foothold by leveraging signed, built‑in macOS applications such as Apple Script Editor and Finder. These applications are used to suppress system security alerts and to execute arbitrary code under the guise of a legitimate user‑initiated update. Because the payload is signed, it bypasses Gatekeeper and other macOS integrity checks.
Execution and Persistence Mechanisms
After the initial compromise, the attackers deploy a two‑phase payload. The first phase is a lightweight dropper that creates a hidden directory in the user’s Library folder, where it stores a secondary module. This module is designed to persist across reboots by adding itself to the Login Items list and by creating a launch agent with a custom plist file. The second phase involves the execution of a command and control (C2) component that communicates with the attacker’s infrastructure over encrypted channels. The C2 component can receive further instructions, including the download of additional malware or the execution of arbitrary code.
Defensive Evasion Tactics
Sapphire Sleet’s use of signed native applications is a key evasion technique. By executing code via Apple Script Editor and Finder, the attackers avoid triggering the macOS sandboxing model. Additionally, the campaign suppresses system alerts by manipulating the Notification Center and by modifying system logs to hide malicious activity. The attackers also employ process injection techniques to hide the presence of malicious binaries in memory, making detection by conventional endpoint detection and response (EDR) solutions more difficult.
Indicators of Compromise (IOCs)
While the report does not list specific IP addresses, the following IOCs are relevant:
- Signed Apple Script Editor binaries with anomalous command execution
- Unexpected Finder processes that launch hidden scripts
- New Launch Agent plist files located in
~/Library/LaunchAgents - Encrypted network traffic originating from port 443 to domains associated with AlienVault Pulse and LevelBlue Blog
Recommendations for Security Analysts and Organizations
- Verify Software Signatures: Ensure that all downloaded updates are signed by known, trusted publishers. Use tools that cross‑check the certificate chain against a whitelist of trusted root certificates.
- Restrict Execution of Untrusted Scripts: Configure macOS Gatekeeper to allow only applications from the Mac App Store or identified developers. Disable the ability for users to run scripts from unknown sources.
- Monitor Login Items and Launch Agents: Regularly audit the contents of
~/Library/LaunchAgentsand/Library/LaunchAgentsfor unfamiliar plist files. Use automated scripts to flag changes to these directories. Implement Endpoint Detection and Response (EDR): Deploy EDR solutions that can detect anomalous process behavior, such as Apple Script Editor launching hidden scripts or Finder executing unexpected commands.
Educate Users on Social Engineering: Conduct targeted phishing awareness training that focuses on malicious software updates and the risks of downloading software from unofficial sources.
Segment Network Access: Limit outbound network traffic from macOS devices to only necessary ports and destinations. Use firewall rules to block connections to known malicious domains.
7. Regularly Update macOS: Keep macOS versions and all security patches up to date. Newer releases include mitigations against several known exploitation techniques used by Sapphire Sleet.
Conclusion
The Sapphire Sleet campaign demonstrates a sophisticated blend of social engineering and native macOS exploitation. By leveraging signed applications and suppressing system alerts, the attackers achieve persistence and stealth in high‑value target environments. Security analysts should prioritize the detection of anomalous script execution and the monitoring of launch agents, while organizations should enforce strict software signing policies and user education to mitigate this emerging threat.

