Sapphire Sleet Deploys Sophisticated macOS Malware Campaign Targeting Enterprise Users
What Happened — A Microsoft‑tracked threat group, dubbed Sapphire Sleet, leveraged a multi‑stage lure (malicious email attachment and a compromised website) to deliver a custom macOS‑only payload. The malware establishes persistence, escalates privileges, and exfiltrates files from high‑value corporate workstations.
Why It Matters for TPRM —
- macOS devices are increasingly part of enterprise endpoint fleets, and many third‑party vendors rely on them for development and administration.
- The attack chain demonstrates a blend of social engineering and zero‑day exploitation, raising the bar for traditional endpoint defenses.
- Successful compromise can expose confidential data of both the primary organization and its supply‑chain partners.
Who Is Affected — Technology SaaS providers, cloud‑hosted services, MSPs, and any enterprise that permits macOS endpoints for staff or contractors.
Recommended Actions —
- Verify that all macOS endpoints are covered by an up‑to‑date endpoint detection and response (EDR) solution.
- Enforce strict email attachment scanning and URL reputation checks.
- Patch macOS systems promptly; monitor for the specific Indicators of Compromise (IOCs) disclosed by Microsoft.
Technical Notes — The intrusion begins with a phishing email containing a malicious .dmg file. Once executed, the installer drops a signed but malicious binary that exploits CVE‑2025‑XXXX (a privilege‑escalation flaw in macOS). The payload communicates over encrypted channels to a C2 server, harvesting documents, keychains, and authentication tokens. Source: Microsoft Security Blog