Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign

This report describes a sophisticated macOS intrusion campaign by North Korea–linked Sapphire Sleet that uses targeted social engineering (fake Zoom SDK updates) and native macOS binaries (Script Editor, osascript, Finder) to bypass privacy protections, harvest credentials and cryptographic assets, maintain persistence via LaunchDaemons and reflective in-memory loading, and exfiltrate staged archives to identified C2 infrastructure; the document includes detailed TTPs and IoCs (SHA‑256 hashes, domains, IPs, ports) for detection and response.