North Korean Hackers Unleash Mac Attack – Your Wallet Isn’t the Only Thing at Risk
Apple's walled garden just got a new intruder. State-sponsored hackers from North Korea are targeting Mac users with a shockingly inventive malware campaign—proving even 'secure' ecosystems aren't bulletproof.
How They're Breaking In
Forget crude phishing attempts. These operatives are weaponizing fake crypto apps and developer tools, exploiting Apple's own ecosystem against its users. The attack chain bypasses traditional defenses by mimicking legitimate software updates.
Why Your Mac Isn't Safe
While Apple touts its security superiority, this campaign exposes critical blind spots. The hackers are leveraging zero-day vulnerabilities in third-party apps—the same ones finance bros insist are 'totally secure' for trading their meme coin portfolios.
Wake-Up Call
This isn't just about stolen passwords. Successful breaches could give Pyongyang access to corporate networks, crypto wallets, and—ironically—the very trading platforms used to launder stolen digital assets. Time to update those security tools before your Bitcoin becomes their Bitcoin.
How The Attack is Executed
The detailed report by SentinelLabs describes a novel and obfuscated approach to breaching Mac devices.
It begins in a now-familiar way: by impersonating a trusted contact to schedule a meeting via Calendly, with the target subsequently receiving an email to update the Zoom application. You can find more information on this particular scam trick in our detailed report here.
The update script ends with three lines of malicious code that retrieve and execute a second-stage script from a controlled server to a legitimate Zoom meeting link.
Clicking on the LINK automatically downloads two Mac binaries, which initiate two independent execution chains: the first scrapes general system information and application-specific data. The second ensures that the attacker will have long-term access to the affected machine.
The attack chain then continues by installing two Bash scripts via a Trojan. One is used to target data from specific browsers: Arc, Brave, Firefox, Chrome, and Edge. The other steals Telegram’s encrypted data and the blob used to decrypt it. The data is then extracted to the controlled server.
What makes this approach unique and challenging for security analysts is the use of multiple malware components and varied techniques employed to inject and spoof malware, making it very difficult to detect.
Similar attacks have also been detected by Huntabil.IT in April and Huntress in June.
Follow The Money
ZachXBT, the pseudonymous blockchain investigator, recently posted on X with his latest findings about substantial payments made to various Democratic People’s Republic of Korea (DPRK) developers working on diverse projects since the beginning of the year.
He has managed to identify eight separate workers working for 12 different companies.
His findings indicate that $2.76 million in USDC was sent out from Circle accounts to addresses associated with the developers per month. These addresses are very close to one that was blacklisted by Tether in 2023, as it’s tied to alleged conspirator Sim Hyon Sop.
Zach continues to monitor similar clusters of addresses, but has not made any information public, as they are still active.
He has issued a warning stating that once these workers take ownership of contracts, the underlying project is at high risk.
“I believe that when a team hires multiple DPRK ITWs (IT workers), it is a decent indicator for determining that the startup will be a failure. Unlike other threats to the industry, these workers have little sophistication, so it’s mainly the result of a team’s own negligence.”
