NORTH Korean hackers have been using AppleScript and the ClickFix technique in fresh macOS attacks against financial organisations, including cryptocurrency, venture capital, and blockchain entities, according to SecurityWeek on 22 April 2026.
A campaign uncovered by Any[.]Run relied on ClickFix to coax macOS users into installing information‑stealing malware that exfiltrates data via Telegram, with attackers targeting business leaders through compromised accounts and fake meeting invitations delivered over Telegram.
In a separate AppleScript‑led operation attributed by Microsoft to Sapphire Sleet, the attackers used AppleScript for code execution and evasion, leading to the same outcome of sensitive data exfiltration, while emphasising persistence and privilege escalation.
The phishing-like approach includes fake recruiter profiles on online platforms and fake interviews prompting victims to install malware masquerading as a video conferencing tool or SDK update, and the infections culminate in the execution of Go‑based Mach‑O binaries as part of a malware kit dubbed Mach‑O Man that harvests credentials, Keychain entries, browser sessions, and related data.