CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users

Cybersecurity News Archived Jun 17, 2026 ✓ Full text saved

A dangerous new cyber campaign is putting macOS users at serious risk, and it does not rely on software bugs to do its damage. Instead, the attackers trick people into handing over their own passwords and sensitive data by making everything look completely normal. What appears to be a routine software update turns out to […] The post Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users By Tushar Subhra Dutta June 17, 2026 A dangerous new cyber campaign is putting macOS users at serious risk, and it does not rely on software bugs to do its damage. Instead, the attackers trick people into handing over their own passwords and sensitive data by making everything look completely normal. What appears to be a routine software update turns out to be a carefully crafted trap, and by the time a victim realizes something is wrong, the damage may already be done. The group behind this activity is known as Sapphire Sleet, a North Korean state-backed threat actor active since at least March 2020. Their targets are not random. They focus almost entirely on people involved in cryptocurrency, venture capital, and blockchain-related businesses. The core goal is to steal digital assets and financial information from high-value individuals and organizations around the world. Analysts at Microsoft said in a report shared with Cyber Security News (CSN) that the campaign began in early 2026 and introduces macOS-specific attack techniques not previously seen from this actor. According to the report, the attack works entirely through social engineering, meaning the hackers convince users to run malicious files themselves rather than exploiting any flaw in the operating system. Process tree showing cascading execution from Script Editor (Source – Microsoft) The attack begins when a target is contacted on social media or professional platforms by someone posing as a job recruiter. After some back-and-forth, the target is directed to download a file disguised as a Zoom SDK update. Once opened, the file launches in macOS Script Editor, a legitimate Apple tool, and quietly begins pulling additional malicious code in the background. The user sees nothing suspicious, only what looks like an ordinary software installation. Microsoft shared its findings with Apple as part of a responsible disclosure process. Apple has since rolled out platform-level protections, including XProtect signature updates and Safari Safe Browsing blocks, to detect and stop infrastructure tied to this campaign. macOS users are strongly encouraged to keep their devices fully updated to benefit from these protections. Hackers Use Fake Software Update Prompts Once the malicious script runs on a victim’s machine, it silently deploys a fake application called systemupdate.app. This app presents the user with a native-looking macOS password dialog that is visually indistinguishable from a real system prompt. The user is told their password is required to finish the software update, and most people simply type it in without a second thought. After the password is entered, the malware verifies it against the local macOS authentication database. If the credential checks out, it is immediately forwarded to the attackers via the Telegram messaging service. Password popup given by fake systemupdate.app (Source – Microsoft) A second fake app, softwareupdate.app, then shows a convincing update-complete dialog to prevent the victim from growing suspicious. Meanwhile, the malware collects cryptocurrency wallet files, saved browser passwords, Telegram session data, SSH keys, Apple Notes, and browsing history. Persistent Backdoors and Large-Scale Exfiltration Beyond stealing credentials, Sapphire Sleet installs multiple backdoors to maintain long-term access. A component named com.apple.cli acts as a host monitoring tool that continuously checks in with the attackers’ servers. A more advanced backdoor named icloudz loads code directly into memory, leaving little trace on disk and making it considerably harder for security tools to catch. The malware installs a launch daemon that automatically restarts the backdoor after every system reboot. All stolen data is compressed into archives and uploaded to attacker-controlled servers over port 8443, while credentials are sent separately via the Telegram Bot API. In June 2026, Microsoft noted that Sapphire Sleet had introduced a Microsoft Teams-themed lure with updated payload names, carrying on the same attack chain under fresh disguises. The AppleScript lure with decoy content and payload execution (Source – Microsoft) Microsoft advises users to never run scripts or terminal commands shared through chat messages without approval from a trusted IT team. Organizations should block compiled AppleScript files downloaded from the internet and monitor for unauthorized changes to the macOS TCC database. Anyone managing cryptocurrency assets should rely on hardware wallets and regularly rotate credentials stored in browsers. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 83.136.208[.]246 C2 server used by com.apple.cli host monitoring component (port 6783) IP Address 188.227.196[.]252 Sapphire Sleet C2 infrastructure IP Address 83.136.209[.]22 Sapphire Sleet C2 infrastructure IP Address 83.136.208[.]48 Sapphire Sleet C2 infrastructure IP Address 83.136.210[.]180 Sapphire Sleet C2 infrastructure IP Address 104.145.210[.]107 Sapphire Sleet C2 infrastructure IP Address 188.227.197[.]136 Sapphire Sleet C2 infrastructure Domain uw04webzoom[.]us Sapphire Sleet attacker-controlled domain Domain uw05webzoom[.]us Sapphire Sleet attacker-controlled domain Domain uw03webzoom[.]us Sapphire Sleet attacker-controlled domain Domain ur01webzoom[.]us Sapphire Sleet attacker-controlled domain Domain uv01webzoom[.]us Sapphire Sleet attacker-controlled domain Domain uv03webzoom[.]us Sapphire Sleet attacker-controlled domain Domain uv04webzoom[.]us Sapphire Sleet attacker-controlled domain Domain ux06webzoom[.]us Sapphire Sleet attacker-controlled domain Domain check02id[.]com C2 domain used by com.google.chromes.updaters backdoor (port 5202) File Name Zoom SDK Update.scpt Initial lure file (compiled AppleScript) delivered via social engineering File Name msteams sdk update.scpt Teams-themed lure file used in June 2026 updated campaign File Name systemupdate.app Fake credential harvester disguised as macOS system update File Name softwareupdate.app Decoy completion app displaying fake update-complete dialog File Name com.apple.cli Host monitoring Mach-O binary (~5 MB), Apple-style naming camouflage File Name icloudz Reflective code loader backdoor stored at ~/Library/Application Support/iCloud/icloudz File Name com.google.chromes.updaters Tertiary backdoor (~7.2 MB) stored at ~/Library/Google/com.google.chromes.updaters File Name com.microsoft.helper Host monitoring component used in Teams-themed campaign variant File Name .google.docs Hidden Mach-O backdoor used in Teams-themed campaign variant File Path /Library/LaunchDaemons/com.google.webkit.service.plist Persistence launch daemon installed by Sapphire Sleet File Path ~/Library/LaunchAgents/com.apple.identification.plist Persistence launch agent in Teams-themed campaign variant File Path ~/Library/Application Support/Authorization/auth.db Installation marker file storing path to services backdoor Token fwyan48umt1vimwqcqvhdd9u72a7qysi Exfiltration upload authorization token UUID 82cf5d92-87b5-4144-9a4e-6b58b714d599 Campaign machine identifier used in exfiltration headers User-Agent mac-cur1 / mac-cur2 / mac-cur3 / mac-cur4 / mac-cur5 Campaign tracking user-agent strings used in curl-to-osascript chain Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users Microsoft Site Showing Warning Following Certificate Expiry Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation Latest News Press Release SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies ANY.RUN URL Phishing Is Draining SOCs, How to Cut Triage Time and Catch Incidents Early   Cyber Security News 27-Year-Old OpenBSD Vulnerability Allows Attackers to Bypass PAP Authentication Entirely Cyber Security News Hackers Use ClickFix Prompt to Install MSI Package and Launch Hands-On-Keyboard Attack Press Release Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗