North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks

North Korean hackers have been using various social engineering and evasion techniques in recently observed attacks targeting macOS users within financial organizations. A campaign uncovered by Any.Run has relied on the infamous ClickFix technique to trick macOS users into installing information-stealing malware. The hackers have been mounting the attacks over Telegram, targeting business leaders, often using the compromised accounts of people known to the victim, with fake meeting invitations. The victims have been directed to websites mimicking Zoom, Microsoft Teams, or Google Meet, and prompted to “fix” a fake connection issue by copying and executing a command in the Terminal. This has resulted in the execution of Go-based Mach-O binaries, part of a malware kit dubbed Mach-O Man and designed to collect credentials, system secrets such as Keychain entries, and browser sessions. The data has been exfiltrated over Telegram. Another campaign, attributed by Microsoft to Sapphire Sleet, a state-sponsored group active since at least 2020, has relied on AppleScript for code execution and detection evasion, but has been leading to the same outcome: sensitive data exfiltration. The hackers have been using fake recruiter profiles on online platforms to engage in conversations with the victims and to invite them to technical interviews. During the fake interviews, the victims have been asked to install malware masquerading as a video conferencing tool or software developer kit (SDK) update. The campaign does not involve ClickFix, which relies on the victims’ willingness to copy the commands leading to malware infection. Instead, the downloaded file, a compiled AppleScript, would automatically open in macOS Script Editor to execute embedded arbitrary shell commands. As part of the complex infection chain, multiple AppleScript payloads would be executed, ultimately leading to the deployment of several backdoors. The attack also focuses on achieving persistence and on privilege escalation. The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs. Related: North Korean Hackers Take Over Victims’ Systems Using Zoom Meeting Related: $290 Million Kelp DAO Crypto Heist Blamed on North Korea Related: Two North Korean IT Worker Scheme Facilitators Jailed in the US Related: North Korean Hackers Target High-Profile Node.js Maintainers WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Dozens of Malicious Crypto Apps Land in Apple App Store Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities $290 Million Kelp DAO Crypto Heist Blamed on North Korea British Scattered Spider Hacker Pleads Guilty in the US Hackers Abuse QEMU for Defense Evasion Half of the 6 Million Internet-Facing FTP Servers Lack Encryption Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers Latest News After Bluesky, Mastodon Targeted in DDoS Attack Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention  Mirai Botnet Targets Flaw in Discontinued D-Link Routers Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data Claude Mythos Finds 271 Firefox Vulnerabilities Google Antigravity in Crosshairs of Security Researchers, Cybercriminals Oracle Patches 450 Vulnerabilities With April 2026 CPU Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email