For years, Australian IT leaders treated macOS as the “quiet corner” of the fleet. A handful of executives and designers on MacBooks, a sprinkle of engineers, and a general assumption that Apple’s built-in protections were enough.<\/p>\n\n
That assumption no longer holds. In April 2026, Microsoft Threat Intelligence publicly dissected a campaign by Sapphire Sleet \u2014 a North Korean crew aligned with Lazarus Group \u2014 targeting macOS users with a fake Zoom SDK update. A few weeks earlier, Google’s Mandiant team documented UNC1069 dropping seven distinct macOS malware families onto a single victim’s Mac in a coordinated credential and wallet heist.<\/p>\n\n
Two separate DPRK (Democratic People’s Republic of Korea) clusters. Two active macOS intrusion chains. Both relying on social engineering rather than exploits. And both pointing at the same uncomfortable conclusion: Australian organisations running unmanaged or lightly managed Mac fleets are now soft targets for a state-sponsored threat actor.<\/p>\n\n
Our team has been helping mid-market Australian businesses harden their macOS posture through Microsoft Intune, and the recent reporting reinforces why that baseline is no longer optional.<\/p>\n\n
Ten years ago, the Mac threat landscape was dominated by adware and the occasional supply chain surprise. The DPRK campaigns documented through late 2025 and into 2026 look nothing like that.<\/p>\n\n
Sapphire Sleet’s Zoom SDK lure (April 2026).<\/strong> The attackers pose as recruiters or legitimate contacts on LinkedIn, schedule a “technical interview” on Zoom, and deliver a file named UNC1069’s seven-family ClickFix campaign (February 2026).<\/strong> Mandiant responded to an incident at a fintech where a single victim was contacted over Telegram from a compromised executive account. A deepfake Zoom call was used as the pretext. The user was walked through “troubleshooting” commands that kicked off an AppleScript-driven infection chain dropping WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH. Several of these bypass TCC by modifying the TCC database directly.<\/p>\n\n Contagious Interview and malicious VS Code projects (January 2026).<\/strong> Jamf Threat Labs and Microsoft Defender researchers documented developers being sent fake “coding assessment” repositories via Bitbucket, GitHub, and GitLab. The repositories abuse VS Code task configuration files to execute payloads on macOS. Separately, North Korean operators pushed nearly 200 malicious npm packages in late November 2025, merging features from the well-known BeaverTail and OtterCookie malware families.<\/p>\n\n The classic lineage is still active.<\/strong> RustBucket, KandyKorn, ObjCShellz, and BeaverTail remain in circulation, now joined by newer loaders like SUGARLOADER and credential stealers dropped through fake The common thread across all of this is that users \u2014 not unpatched software \u2014 are the initial access vector. And the payloads are increasingly Mach-O binaries, AppleScript chains, and TCC-bypass techniques designed specifically for Apple Silicon fleets.<\/p>\n\n The early DPRK macOS campaigns focused heavily on crypto exchanges and Web3 companies. That is no longer the boundary.<\/p>\n\n In the Mandiant reporting, UNC1069 has pivoted to financial services, payments, brokerage, and wallet infrastructure. Sapphire Sleet’s current lures target anyone with access to financial data or corporate identity. Lazarus was also linked to Medusa ransomware attacks on a healthcare organisation in the U.S. and European defence companies in the past six months.<\/p>\n\n For Australian organisations in the 50\u2013500 employee band \u2014 law firms, accounting practices, super funds, medtech, fintech, professional services \u2014 the attack surface is now:<\/p>\n\n If any of the above runs on a Mac that is not centrally managed, MDM-enrolled, and covered by a hardened baseline, the organisation is essentially betting on user judgement against a well-resourced state-sponsored adversary. The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) have been increasingly direct on this point through 2025 and into 2026: the Essential 8 applies to every managed endpoint, not just the Windows ones.<\/p>\n\n Intune has matured significantly as a macOS management plane. The features that matter for the current DPRK threat model are not exotic \u2014 they are the baseline controls every managed Mac fleet should already have in place.<\/p>\n\n 1. Enforced MDM enrolment via Apple Business Manager.<\/strong> Automated Device Enrolment (ADE) ensures every Mac \u2014 company-owned or contractor \u2014 hits the fleet already supervised, with the user unable to remove management. Without this, none of the controls below can be reliably enforced.<\/p>\n\n 2. Compliance policies with FileVault, system integrity, and OS version requirements.<\/strong> Intune compliance policies can require FileVault encryption, minimum macOS version, System Integrity Protection (SIP) enabled, and Gatekeeper set to App Store and identified developers only. Non-compliant devices can then be blocked from Microsoft 365 and other Entra-integrated apps through Conditional Access.<\/p>\n\n 3. Platform Single Sign-On with Entra ID.<\/strong> Platform SSO binds the macOS local account to Entra ID, enforces phishing-resistant authentication, and makes credential theft from the keychain far less valuable. Given that DEEPBREATH and CHROMEPUSH both target keychain and browser credentials, Platform SSO is one of the highest-leverage controls available right now.<\/p>\n\n 4. Microsoft Defender for Endpoint on Mac.<\/strong> Defender for Endpoint provides EDR telemetry, behavioural detection, and integration with Microsoft 365 Defender. It catches the kinds of post-compromise behaviours \u2014 suspicious 5. App allow-listing and script execution controls.<\/strong> Intune shell script deployment combined with configuration profiles can restrict where unsigned scripts execute, enforce notarisation requirements, and disable Script Editor for standard users where business use does not require it. This directly disrupts the 6. Hardened TCC and privacy preference profiles.<\/strong> Intune configuration profiles can pre-approve only the TCC permissions required by sanctioned apps and prevent users from granting Full Disk Access, Accessibility, or Screen Recording privileges to arbitrary binaries. This is the single most effective control against the TCC-bypass techniques used by DEEPBREATH and the Sapphire Sleet payload chain.<\/p>\n\n 7. Developer workstation separation.<\/strong> Macs used by developers should be treated as a distinct device group with stricter controls on VS Code extensions, source control clients, and package manager behaviour. Given the npm and VS Code project lures documented in the Contagious Interview campaigns, this is no longer a theoretical concern.<\/p>\n\n Mapped against the Essential 8, this baseline directly strengthens application control, restrict administrative privileges, patch applications, patch operating systems, and multi-factor authentication on macOS \u2014 which is historically where Essential 8 implementations have been weakest in Australian mid-market environments.<\/p>\n\n The organisations our team works with typically fall into one of three postures on macOS:<\/p>\n\n Moving from posture one or two to a full baseline is not a six-month transformation programme. For a 50\u2013500 person organisation, it is typically a focused engagement of a few weeks to get the core controls in place, followed by ongoing hardening as new Intune capabilities land.<\/p>\n\n The DPRK threat actors are not going to slow down. Social engineering is, as Microsoft’s global threat intelligence GM recently put it, “low-cost, hard to patch, and scales well.”<\/em> Australian organisations that get their macOS baseline in order now are the ones that will not be the next case study.<\/p>\n\n If your organisation runs macOS devices and you are not sure how your current controls map to the Essential 8 or stand up against the current DPRK threat model, we would welcome a conversation. Our team regularly helps Australian mid-market organisations design and deploy Intune for macOS baselines aligned with ACSC guidance and the Essential 8.<\/p>\n\n","protected":false},"excerpt":{"rendered":" For years, Australian IT leaders treated macOS as the “quiet corner” of the fleet. A handful of executives and designers on MacBooks, a sprinkle of engineers, and a general assumption that Apple’s built-in protections were enough. That assumption no longer holds. In April 2026, Microsoft Threat Intelligence publicly dissected a campaign by Sapphire Sleet \u2014 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Intune for macOS baseline","_yoast_wpseo_title":"Intune for macOS Baseline vs North Korean Threats | CloudProInc","_yoast_wpseo_metadesc":"North Korean threat actors are now targeting macOS fleets. Learn why an Intune for macOS baseline is essential for Australian mid-market organisations in 2026.","_yoast_wpseo_opengraph-title":"Intune for macOS Baseline vs North Korean Threats","_yoast_wpseo_opengraph-description":"DPRK actors like Sapphire Sleet and UNC1069 are targeting macOS. See why an Intune for macOS baseline aligned with Essential 8 matters now.","_yoast_wpseo_twitter-title":"Intune for macOS Baseline vs North Korean Threats","_yoast_wpseo_twitter-description":"DPRK actors like Sapphire Sleet and UNC1069 are targeting macOS. See why an Intune for macOS baseline aligned with Essential 8 matters now.","_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[13,107,103,17,29,12],"tags":[],"class_list":["post-57485","post","type-post","status-publish","format-standard","hentry","category-blog","category-cybersecurity","category-essential-8","category-microsoft-365-security","category-microsoft-defender-xdr","category-microsoft-intune"],"yoast_head":"\nZoom SDK Update.scpt<\/code>. macOS opens it in Script Editor by default. Below thousands of blank lines sits a multi-stage chain of curl<\/code> commands that pull fresh AppleScript payloads, bypass macOS Transparency, Consent and Control (TCC), drop a backdoor named com.apple.cli<\/code>, and exfiltrate keychains, browser data, Apple Notes, Telegram sessions, and cryptocurrency wallets \u2014 all via the Telegram Bot API.<\/p>\n\nsystemupdate.app<\/code> bundles.<\/p>\n\nWhy Australian Mid-Market Organisations Are in Scope<\/h2>\n\n
The Intune for macOS Baseline Our Team Recommends<\/h2>\n\n
osascript<\/code> execution, curl<\/code> fetching Mach-O binaries, TCC database tampering \u2014 that XProtect alone will miss. Apple has pushed XProtect signatures for the Sapphire Sleet families, but signature-based detection is not a substitute for EDR on a business-critical device.<\/p>\n\nZoom SDK Update.scpt<\/code> style lure.<\/p>\n\nPractical Starting Point<\/h2>\n\n
\n\n