Worms in the Apple Orchard: How Sapphire Sleet Turned macOS Into Lunch

Written By Daniel Zhang

The Funny Summary

Think macOS is a shiny, sealed apple? Sapphire Sleet proved it still attracts worms. By pretending to be legit Zoom and system updates, this crew didn’t hack macOS so much as politely ask users to let them in, then helped themselves to passwords, crypto, and data—all while macOS security politely looked away.

The (5) Takeaways

  • Social engineering beats exploits – No zero‑days required; just convincing prompts and user clicks did the job.

  • Fake updates are still deadly – Disguised Zoom SDK and system updates tricked users into running AppleScript payloads.

  • User‑initiated execution is powerful – Once users click “yes,” many macOS protections step aside.

  • Credentials were the prize – Native‑looking password prompts harvested real, validated macOS passwords.

  • Persistence was sneaky and durable – Launch daemons, look‑alike binaries, and trusted paths kept the worms comfy long‑term.

The Long Boring Article

Reference:

https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/

Daniel Zhang
Previous

Because Tomorrow’s Computers Shouldn’t Read Today’s Emails
Next

ClickFix ’n’ Steal: When “Verify You’re Human”