Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users

A dangerous new cyber campaign is putting macOS users at serious risk, and it does not rely on software bugs to do its damage.

Instead, the attackers trick people into handing over their own passwords and sensitive data by making everything look completely normal.

What appears to be a routine software update turns out to be a carefully crafted trap, and by the time a victim realizes something is wrong, the damage may already be done.

The group behind this activity is known as Sapphire Sleet, a North Korean state-backed threat actor active since at least March 2020. Their targets are not random.

They focus almost entirely on people involved in cryptocurrency, venture capital, and blockchain-related businesses. The core goal is to steal digital assets and financial information from high-value individuals and organizations around the world.

Analysts at Microsoft said in a report shared with Cyber Security News (CSN) that the campaign began in early 2026 and introduces macOS-specific attack techniques not previously seen from this actor.

According to the report, the attack works entirely through social engineering, meaning the hackers convince users to run malicious files themselves rather than exploiting any flaw in the operating system.

The attack begins when a target is contacted on social media or professional platforms by someone posing as a job recruiter.

After some back-and-forth, the target is directed to download a file disguised as a Zoom SDK update. Once opened, the file launches in macOS Script Editor, a legitimate Apple tool, and quietly begins pulling additional malicious code in the background.

The user sees nothing suspicious, only what looks like an ordinary software installation. Microsoft shared its findings with Apple as part of a responsible disclosure process.

Apple has since rolled out platform-level protections, including XProtect signature updates and Safari Safe Browsing blocks, to detect and stop infrastructure tied to this campaign. macOS users are strongly encouraged to keep their devices fully updated to benefit from these protections.

Hackers Use Fake Software Update Prompts

Once the malicious script runs on a victim’s machine, it silently deploys a fake application called systemupdate.app. This app presents the user with a native-looking macOS password dialog that is visually indistinguishable from a real system prompt.

The user is told their password is required to finish the software update, and most people simply type it in without a second thought.

After the password is entered, the malware verifies it against the local macOS authentication database. If the credential checks out, it is immediately forwarded to the attackers via the Telegram messaging service.

A second fake app, softwareupdate.app, then shows a convincing update-complete dialog to prevent the victim from growing suspicious. Meanwhile, the malware collects cryptocurrency wallet files, saved browser passwords, Telegram session data, SSH keys, Apple Notes, and browsing history.

Persistent Backdoors and Large-Scale Exfiltration

Beyond stealing credentials, Sapphire Sleet installs multiple backdoors to maintain long-term access. A component named com.apple.cli acts as a host monitoring tool that continuously checks in with the attackers’ servers.

A more advanced backdoor named icloudz loads code directly into memory, leaving little trace on disk and making it considerably harder for security tools to catch.

The malware installs a launch daemon that automatically restarts the backdoor after every system reboot. All stolen data is compressed into archives and uploaded to attacker-controlled servers over port 8443, while credentials are sent separately via the Telegram Bot API.

In June 2026, Microsoft noted that Sapphire Sleet had introduced a Microsoft Teams-themed lure with updated payload names, carrying on the same attack chain under fresh disguises.

Microsoft advises users to never run scripts or terminal commands shared through chat messages without approval from a trusted IT team.

Organizations should block compiled AppleScript files downloaded from the internet and monitor for unauthorized changes to the macOS TCC database.

Anyone managing cryptocurrency assets should rely on hardware wallets and regularly rotate credentials stored in browsers.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	83.136.208[.]246	C2 server used by com.apple.cli host monitoring component (port 6783)
IP Address	188.227.196[.]252	Sapphire Sleet C2 infrastructure
IP Address	83.136.209[.]22	Sapphire Sleet C2 infrastructure
IP Address	83.136.208[.]48	Sapphire Sleet C2 infrastructure
IP Address	83.136.210[.]180	Sapphire Sleet C2 infrastructure
IP Address	104.145.210[.]107	Sapphire Sleet C2 infrastructure
IP Address	188.227.197[.]136	Sapphire Sleet C2 infrastructure
Domain	uw04webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	uw05webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	uw03webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	ur01webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	uv01webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	uv03webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	uv04webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	ux06webzoom[.]us	Sapphire Sleet attacker-controlled domain
Domain	check02id[.]com	C2 domain used by com.google.chromes.updaters backdoor (port 5202)
File Name	Zoom SDK Update.scpt	Initial lure file (compiled AppleScript) delivered via social engineering
File Name	msteams sdk update.scpt	Teams-themed lure file used in June 2026 updated campaign
File Name	systemupdate.app	Fake credential harvester disguised as macOS system update
File Name	softwareupdate.app	Decoy completion app displaying fake update-complete dialog
File Name	com.apple.cli	Host monitoring Mach-O binary (~5 MB), Apple-style naming camouflage
File Name	icloudz	Reflective code loader backdoor stored at ~/Library/Application Support/iCloud/icloudz
File Name	com.google.chromes.updaters	Tertiary backdoor (~7.2 MB) stored at ~/Library/Google/com.google.chromes.updaters
File Name	com.microsoft.helper	Host monitoring component used in Teams-themed campaign variant
File Name	.google.docs	Hidden Mach-O backdoor used in Teams-themed campaign variant
File Path	/Library/LaunchDaemons/com.google.webkit.service.plist	Persistence launch daemon installed by Sapphire Sleet
File Path	~/Library/LaunchAgents/com.apple.identification.plist	Persistence launch agent in Teams-themed campaign variant
File Path	~/Library/Application Support/Authorization/auth.db	Installation marker file storing path to services backdoor
Token	fwyan48umt1vimwqcqvhdd9u72a7qysi	Exfiltration upload authorization token
UUID	82cf5d92-87b5-4144-9a4e-6b58b714d599	Campaign machine identifier used in exfiltration headers
User-Agent	mac-cur1 / mac-cur2 / mac-cur3 / mac-cur4 / mac-cur5	Campaign tracking user-agent strings used in curl-to-osascript chain

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.