A new cyber campaign targeting macOS users has been identified, orchestrated by the North Korean threat actor group known as Sapphire Sleet. This campaign marks a strategic shift from exploiting software vulnerabilities to employing social engineering tactics to deceive users. The attackers are distributing malware by disguising it as a legitimate Zoom SDK update, which users are tricked into executing.
Instead of exploiting traditional software vulnerabilities, Sapphire Sleet is leveraging social engineering techniques to bypass Apple's built-in security protections. The attackers present users with a fake software update prompt, which appears to be a legitimate update for the Zoom SDK. Once the user executes the update, the malicious file is installed, compromising the system.
This method of attack is particularly concerning because it relies on user interaction rather than exploiting technical flaws in the software. By disguising the malware as a trusted software update, the attackers can effectively bypass many of the security measures that are designed to protect macOS users from unauthorized software installations. This highlights the importance of user vigilance in maintaining cybersecurity.
The impact of this campaign could be significant, as it targets a widely used platform and exploits the trust users place in software updates. If successful, the malware could allow attackers to gain unauthorized access to sensitive information, potentially leading to data breaches or further exploitation of compromised systems.
To protect against this threat, macOS users should be cautious of unexpected software update prompts, especially those related to the Zoom SDK. It is advisable to verify the legitimacy of any software update by checking official sources or directly through the software’s official website. Additionally, users should ensure their security software is up to date to detect and block potential threats.
Source: https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/