A new campaign linked to North Korean threat groups involves the use of a modified ClickFix variant to attack macOS users and extract critical data assets. 

In its latest findings, Microsoft Threat Intelligence has uncovered a cyber campaign focused on macOS systems, linked to the North Korean group Sapphire Sleet. The attack strategy mirrors typical North Korean operations, leveraging social engineering methods, including ClickFix-style tactics. 

Over the past year, ClickFix has emerged as a widely used social engineering tactic. Attackers usually direct victims to a compromised website or a virtual meeting platform like Zoom or Teams, claiming there are technical problems that require action, such as running commands or installing software. These issues are fabricated, and the real objective is to trick users into installing malware or linking their systems to attacker-controlled infrastructure. 

ClickFix is now widely used across the threat landscape, but North Korean actors, including Sapphire Sleet, have shown a particular affinity for it. The group is thought to have links with threat clusters known as UNC1069, APT38, and Stardust Chollima, and its operations are largely driven by efforts to fund the North Korean government via cryptocurrency theft and intellectual property espionage. 

"In this campaign, Sapphire Sleet takes advantage of user‑initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries," Microsoft's blog post read. 

Inside the macOS ClickFix Attack  

According to researchers, Sapphire Sleet initiates its campaigns by setting up fraudulent recruiter accounts on social and professional networking sites, approaching targets with fake job offers, and then scheduling technical interviews to further the attack. 

Next, the fake interviewer directs the victim to download and install a file named “Zoom SDK Update.scpt,” presented as a Zoom SDK update. The file is a compiled AppleScript that opens by default in macOS Script Editor, after which the user is prompted to execute it by clicking “Run Script.” 

While Windows-focused ClickFix campaigns often involve copying harmful shell commands to the user’s clipboard and instructing them to paste it themselves, the macOS version takes a different approach by using a file that, when opened, executes arbitrary code. 

Once executed, the fake “SDK update” sets off a multi-stage attack chain that uses curl commands to run multiple AppleScript payloads. The components include a command-and-control beacon, credential harvesters, and a data-stealing module designed to extract information from wallets, browsers, keychains, history, Apple Notes, and Telegram. It also deploys several backdoors for persistence, along with a fake prompt indicating the installation process is complete. 

Ahead of exfiltration, the attack chain circumvents Apple’s TCC security framework, responsible for ensuring user consent before certain operations are performed. This is done by renaming an essential TCC file, relocating it for staging, and modifying the database access table with a new entry that prevents consent prompts from appearing. The tampered database is subsequently returned to its original folder and renamed back to its original state. 

Microsoft recommends several defensive measures against Sapphire Sleet, including educating users about social engineering and the mechanics of ClickFix attacks. Organisations should restrict or block the execution of .scpt files and unsigned Mach-O binaries obtained online, remain vigilant when handling sensitive data via copy-paste actions, and safeguard cryptocurrency wallets and stored browser credentials. The accompanying blog post also outlines indicators of compromise. 

According to Microsoft, the campaign findings were shared with Apple, which has subsequently rolled out updates to identify and prevent the associated malicious infrastructure and malware.