North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks

Summary

North Korean threat actors are conducting sophisticated campaigns against macOS users in financial organizations, including cryptocurrency and venture capital firms. Two distinct attack methods have been identified: ClickFix social engineering via Telegram using fake video conferencing invitations, and AppleScript-based campaigns attributed to Sapphire Sleet using fake recruiter profiles. Both ultimately deliver information-stealing malware (Mach-O Man and backdoors) designed to harvest credentials, Keychain entries, crypto wallets, SSH keys, and browser data.

Full text

North Korean hackers have been using various social engineering and evasion techniques in recently observed attacks targeting macOS users within financial organizations. A campaign uncovered by Any.Run has relied on the infamous ClickFix technique to trick macOS users into installing information-stealing malware. The hackers have been mounting the attacks over Telegram, targeting business leaders, often using the compromised accounts of people known to the victim, with fake meeting invitations. The victims have been directed to websites mimicking Zoom, Microsoft Teams, or Google Meet, and prompted to “fix” a fake connection issue by copying and executing a command in the Terminal. This has resulted in the execution of Go-based Mach-O binaries, part of a malware kit dubbed Mach-O Man and designed to collect credentials, system secrets such as Keychain entries, and browser sessions. The data has been exfiltrated over Telegram. Another campaign, attributed by Microsoft to Sapphire Sleet, a state-sponsored group active since at least 2020, has relied on AppleScript for code execution and detection evasion, but has been leading to the same outcome: sensitive data exfiltration.Advertisement. Scroll to continue reading. The hackers have been using fake recruiter profiles on online platforms to engage in conversations with the victims and to invite them to technical interviews. During the fake interviews, the victims have been asked to install malware masquerading as a video conferencing tool or software developer kit (SDK) update. The campaign does not involve ClickFix, which relies on the victims’ willingness to copy the commands leading to malware infection. Instead, the downloaded file, a compiled AppleScript, would automatically open in macOS Script Editor to execute embedded arbitrary shell commands. As part of the complex infection chain, multiple AppleScript payloads would be executed, ultimately leading to the deployment of several backdoors. The attack also focuses on achieving persistence and on privilege escalation. The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs. Related: North Korean Hackers Take Over Victims’ Systems Using Zoom Meeting Related: $290 Million Kelp DAO Crypto Heist Blamed on North Korea Related: Two North Korean IT Worker Scheme Facilitators Jailed in the US Related: North Korean Hackers Target High-Profile Node.js Maintainers Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Dozens of Malicious Crypto Apps Land in Apple App StoreProgress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMasterOrganizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities$290 Million Kelp DAO Crypto Heist Blamed on North KoreaBritish Scattered Spider Hacker Pleads Guilty in the USHackers Abuse QEMU for Defense EvasionHalf of the 6 Million Internet-Facing FTP Servers Lack EncryptionHackers Fail to Exploit Flaw in Discontinued TP-Link Routers Latest News Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysNew Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention Mirai Botnet Targets Flaw in Discontinued D-Link RoutersAre SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM DataClaude Mythos Finds 271 Firefox VulnerabilitiesGoogle Antigravity in Crosshairs of Security Researchers, CybercriminalsOracle Patches 450 Vulnerabilities With April 2026 CPUThird US Security Expert Admits Helping Ransomware Gang Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Mach-O Man

Entities