North Korean APT Targets macOS to Steal Crypto Wallets and SSH Keys

This report details a macOS intrusion campaign attributed to the North Korean APT 'Sapphire Sleet' (BlueNoroff/UNC1069) targeting venture capital, Web3 developers, and cryptocurrency platforms since at least 2020; attackers use social engineering (fake Zoom SDK), malicious AppleScript, abuse of macOS privacy controls (TCC/Finder), persistence via launch daemons, in-memory payload loading, and encrypted exfiltration to steal wallets, credentials, and other sensitive data, and the report includes multiple file paths and SHA-256 IOCs.