惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

PCI Perspectives
PCI Perspectives
Microsoft Security Blog
Microsoft Security Blog
MongoDB | Blog
MongoDB | Blog
T
The Blog of Author Tim Ferriss
罗磊的独立博客
人人都是产品经理
人人都是产品经理
The Cloudflare Blog
Engineering at Meta
Engineering at Meta
Y
Y Combinator Blog
宝玉的分享
宝玉的分享
Recorded Future
Recorded Future
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
Recent Announcements
Recent Announcements
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Apple Machine Learning Research
Apple Machine Learning Research
T
Threatpost
The GitHub Blog
The GitHub Blog
M
MIT News - Artificial intelligence
Scott Helme
Scott Helme
P
Palo Alto Networks Blog
T
Tenable Blog
P
Privacy International News Feed
V
Visual Studio Blog
F
Fortinet All Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
I
Intezer
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
AI
AI
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
S
Security Affairs
S
SegmentFault 最新的问题
C
Cisco Blogs
博客园 - 聂微东
MyScale Blog
MyScale Blog
V
Vulnerabilities – Threatpost
量子位
T
The Exploit Database - CXSecurity.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Security Latest
Security Latest
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
T
Tailwind CSS Blog
Stack Overflow Blog
Stack Overflow Blog
云风的 BLOG
云风的 BLOG
A
About on SuperTechFans
The Last Watchdog
The Last Watchdog

The Register - Security: Cyber-crime

Election interlopers register 5K+ domains, hope to catch some voting phish Palo Alto VPN bug graduates from advisory to active exploitation ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak Carnival confirms ShinyHunters cruised off with 6M customer records after April breach CrowdStrike, Google shatter Glassworm botnet MyPillow must decide whether to be firm or soft as ransomware crims demand pay A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Shai-Hulud copycat worm infects yet another npm package Grafana Labs admits all its codebase are belong to someone who popped its GitHub account Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files Cache-poisoning caper turns TanStack npm packages toxic 'CopyFail' attackers start cashing in on Linux flaw Cushman & Wakefield confirms vishing cyberattack ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Critical cPanel exploited: 'Millions' of sites could be hit Pro-Iran group turns Ubuntu DDoS into shakedown French prosecutors link 15-year-old to gov mega-breach UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Burglar alarm biz gets burgled, ShinyHunters pursues ransom Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning 500k Biobank volunteers' data listed for sale on Alibaba Another npm supply chain worm hits dev environments France's 'Secure' ID agency probes breach as crooks claim 19M records France's 'Secure' ID agency probes claimed 19M record breach macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets macOS ClickFix attacks deliver AppleScript stealers Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords Third ransomware pro pleads guilty to cybercrime U-turn AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account AI-pwned: Vercel breach traced to stolen employee creds Crook claims to leak 'video surveillance footage' of companies Crook claims to leak 'video surveillance footage' of firms Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Adaptavist Group breach: Ransomware crew claims mega-haul Scot becomes second Scattered Spider-linked crook to plead guilty in US US gets second Scattered Spider-linked guilty plea McGraw Hill linked to 13.5M-record data leak McGraw Hill linked to 13.5M-record data leak Autovista blames ransomware for service disruption Autovista blames ransomware for service disruption No honor among thieves as 0APT threatens rival ransomware gang Krybit 0APT ransomware gang extorts Krybit amid doxxing threat Fake Linux leader using Slack to con devs into giving up their secrets Fake Linux Foundation leader using Slack to phish devs Booking.com warns of possible reservation data exposure Booking.com warns of possible reservation data exposure Gym giant Basic-Fit breached with at least 1M affected US, UK, Canadian cops disrupt $45M global crypto scam www.theregister.com Old Adobe Reader zero-day uses PDFs to size up targets Zephyr Energy loses £700K to contractor payment fraud Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns Russia's APT28 behind latest wave of router, DNS attacks AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack Mercor says it was 'one of thousands' hit in LiteLLM attack Telnyx package latest hit in PyPI supply-chain compromise Telnyx package latest hit in PyPI supply-chain compromise European Commission admits breach of public web systems European Commission admits breach of public web systems AFC Ajax drops ball as hackers transfer tickets, lift bans AFC Ajax drops ball as hackers transfer tickets, lift bans HackerOne slams supplier for delayed breach notice after staff data exposed HackerOne slams supplier over delayed breach notice Russian initial access broker jailed for 81 months in US Russian initial access broker jailed for 81 months in US Smooth criminals talking their way into cloud environments, Google says Chip tester shrugged off ransomware – then came the leak Chip tester shrugged off ransomware – then came the leak Russians posing as Signal support to launch phishing raids JLR cyber bailout risks dangerous precedent, watchdog warns Unknown attackers exploit yet another critical SharePoint bug Microsoft Intune: Lock it down, warn feds after Stryker Ransomware crims abused Cisco 0-day weeks before disclosure North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un Robotics surgical biz Intuitive discloses phishing attack Cybercrime up 245% since the start of the Iran war AI-driven fraud far more profitable, Interpol warns Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs Interpol sinkholes 45,000 IPs linked to global cybercrime SocksEscort fraud-enabling proxy service taken down CISA warns max-severity n8n bug is being exploited in the wild Iran-linked cyber crew claims hit on US med-tech firm Meta, cops deploy AI and handcuffs in scam crackdown Dutch police collar teen over string of bank card frauds EU law advisor wants cybercrime protections fast-tracked Cybercrime isn't just a cover for Iran's government goons Crooks compromise WordPress sites, spread infostealers Ericsson breach blamed on third party vendor vishing attack Polish cyber police busts gang of alleged teen DDoS peddlers
North Korea targets macOS users in latest heist
Jessica Lyons Jessica Lyons · 2026-04-17 · via The Register - Security: Cyber-crime

Cyber-crime

Social engineering: 'low-cost, hard to patch, and scales well'

North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.

Redmond's threat intelligence team tracks the Pyongyang-backed crew as Sapphire Sleet (aka APT38). The Lazarus Group offshoot has been in business since at least 2020, and primarily targets the finance sector to steal cryptocurrency wallets and intellectual property related to cryptocurrency trading and blockchain platforms.

These attacks begin with social engineering. The crew creates fake recruiter profiles on social media and networking platforms like LinkedIn and then reaches out to finance professionals with phony job opportunities before scheduling a technical interview - that's the delivery mechanism for the malware.

And they follow a rash of other social-engineering-enabled intrusions, including one in which North Korea-linked attackers socially engineered an Axios maintainer, compromised his account, and published malicious versions of the open source JavaScript library containing a remote-access trojan.

"Social engineering lets attackers route around hardened perimeters by convincing users to act on their behalf, turning a human into the vulnerability. It's low-cost, hard to patch, and scales well," Sherrod DeGrippo, Microsoft global threat intelligence GM, told The Register

"Users are conditioned to accept remote support interactions like downloading tools, following instructions, clicking prompts," she added. "Attackers exploit this familiarity to make malicious actions feel routine, lowering victim skepticism at the critical moment of compromise."  

In its latest campaign, Sapphire Sleet sends victims a fake Zoom support meeting invite, and then instructs them to download a file called Zoom SDK Update.scpt. It's a compiled AppleScript that opens in macOS Script Editor by default and looks like a legitimate Zoom SDK update, beginning with a large comment block of update instructions to make it appear to be a real software update.

Bad Apple(Script) commands

Underneath the decoy content, the script inserts thousands of blank lines to push the malicious logic below the scrollable view of the Script Editor window and reduce the chances of the victim noticing it. First, it launches a command that invokes the legitimate macOS softwareupdate binary - but with an invalid parameter. This essentially does nothing but launch a trusted Apple‑signed process to make the software update look legitimate.

Next, the script executes its malicious payload via curl to fetch a new attacker-controlled AppleScript that launches directly within the Script Editor context and ensures that additional payloads are dynamically downloaded and executed.

"When the user opens the Zoom SDK Update.scpt file, macOS launches the file in Script Editor, allowing Sapphire Sleet to transition from a single lure file to a multi-stage, dynamically fetched payload chain," Redmond explained in a Thursday report. 

"From this single process, the entire attack unfolds through a cascading chain of curl commands, each fetching and executing progressively more complex AppleScript payloads. Each stage uses a distinct user-agent string as a campaign tracking identifier."

Each curl user agent fetches a different piece of malware that serves its own purpose in the attack chain, from orchestration and backdooring victims' machines, to reconnaissance and registering the compromised system with Sapphire Sleet's command‑and‑control (C2) infrastructure, to bypassing macOS TCC protections, and ultimately harvesting credentials and exfiltrating sensitive data - wallets, browser history and other info, keychains, Apple Notes, and Telegram login details.

Each stage of the campaign also abuses native Apple tools or mimics Apple naming conventions to disguise the illicit activity. For example: the host monitoring binary is called com.apple.cli to help mask the 5 MB Mach-O executable with an Apple-style naming convention. 

The credential stealer, delivered through an AppleScript payload executed via osascript, drops a malicious macOS application named systemupdate.app that masquerades as a software update utility and, when launched, displays a native macOS password dialog that closely resembles a legitimate system prompt. The dialog prompts the user to enter their password "to complete a software update," and this allows Sapphire Sleet to obtain valid user credentials, exfiltrating them by using the Telegram Bot API.

Additionally, one of the backdoors used in this campaign - icloudz - is named to mimic a legitimate iCloud‑related artifact, and also uses the macOS NSCreateObjectFileImageFromMemory API to load additional payloads directly into memory.

Microsoft disclosed this campaign to Apple, and the mac maker has since implemented "platform-level protections to help detect and block infrastructure and malware associated with this campaign," we're told. Apple did not respond to The Register's inquiries.

According to Redmond, however, Apple deployed Apple Safe Browsing protections in Safari to detect and block malicious infrastructure associated with this campaign, and also deployed XProtect signatures to detect and block the malware families linked to Sapphire Sleet. MacOS devices receive these signature updates automatically, so no need to do anything from a user perspective.

One thing organizations can do to protect their users and themselves from falling victim to this and other social-engineering campaigns is to educate people about threats originating from LinkedIn and other social media sites, especially unsolicited communications asking users to download software or install virtual meeting tools. 

"Users should never run scripts or commands shared through messages, calls, or chats without prior approval from their IT or security teams," Redmond warns. ®