levelblue.2026.sapphire-sleet-macos-fake-zoom-update
Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure
IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsfile
Zoom SDK Update.scpt
file
com.apple.cli profiling component
file
systemupdate.app / Mac Password Popup credential harvester
file
/Library/LaunchDaemons/com.google.webkit.service.plist
file
icloudz reflective backdoor component
file
com.google.chromes.updaters in-memory beacon agent
file
/tmp staged zip archives containing collected corporate and crypto assets
domain
check02id.com
domain
uw04webzoom.us
domain
uw05webzoom.us
domain
uw03webzoom.us
domain
uv01webzoom.us
domain
uv03webzoom.us
domain
uv04webzoom.us
domain
ux06webzoom.us
domain
ur01webzoom.us
ip
83.136.208.246
ip
83.136.209.22
ip
104.145.210.107
ip
83.136.208.48
ip
83.136.210.180
Relations
directed infrastructure edgese001dropse002
confirmed
e001dropse003
confirmed
e001dropse004
confirmed
e004executee005
confirmed
e005executee006
confirmed
e006dropse007
confirmed
e006connecte008
confirmed
e006connecte009
confirmed
e006connecte010
confirmed
e006connecte011
confirmed
e006connecte012
confirmed
e006connecte013
confirmed
e006connecte014
confirmed
e006connecte015
confirmed
e006connecte016
confirmed
e006connecte017
confirmed
e006connecte018
confirmed
e006connecte019
confirmed
e006connecte020
confirmed
e006connecte021
confirmed
e007communicates-withe019
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | Zoom SDK Update.scpt |
LevelBlue states initial access relied on targeted social engineering against individuals in crypto/investment/Web3 and that victims were instructed to execute a fake Zoom SDK update component named Zoom SDK Update.scpt. LevelBlue states the user-assisted execution opens the compiled AppleScript in macOS Script Editor and the flow proceeds Script Editor -> osascript -> curl -> shell. LevelBlue IOC table lists /Users/<user>/Downloads/Zoom SDK Update.scpt with SHA-256 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419. |
e002 |
file | com.apple.cli profiling component |
LevelBlue states the script initiates curl and osascript commands using task-specific User-Agents mac-cur1 through mac-cur5 and drops initial profiling tools such as com.apple.cli. LevelBlue IOC table lists /Users/<user>/com.apple.cli with SHA-256 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53. |
e003 |
file | systemupdate.app / Mac Password Popup credential harvester |
LevelBlue states a fake application named systemupdate.app launches a native-looking Objective-C prompt called Mac Password Popup to harvest the user login password. LevelBlue IOC table lists /private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c. LevelBlue IOC table also lists /private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640. |
e004 |
file | /Library/LaunchDaemons/com.google.webkit.service.plist |
LevelBlue states an administrative boot configuration is dropped into /Library/LaunchDaemons/com.google.webkit.service.plist to launch the backdoor component named icloudz at system startup. LevelBlue IOC table lists com.google.webkit.service.plist with SHA-256 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63. |
e005 |
file | icloudz reflective backdoor component |
LevelBlue states the LaunchDaemon starts a backdoor component named icloudz at system startup. LevelBlue states icloudz uses NSCreateObjectFileImageFromMemory to reflectively load the core beacon agent com.google.chromes.updaters directly into memory. LevelBlue IOC table lists /Users/<user>/Library/Services/services / icloudz with SHA-256 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7. |
e006 |
file | com.google.chromes.updaters in-memory beacon agent |
LevelBlue states icloudz reflectively loads the core beacon agent com.google.chromes.updaters directly into memory. LevelBlue states the beacon communicates outbound every 60 seconds. LevelBlue IOC table lists com.google.chromes.updaters with SHA-256 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5. |
e007 |
file | /tmp staged zip archives containing collected corporate and crypto assets |
LevelBlue states the script profiles, archives into .zip files within the /tmp/ directory, and steals critical corporate data assets. Targeted data described by LevelBlue includes cryptocurrency software wallets such as Exodus and Ledger Live, browser extension storage, Telegram session profiles, local SSH keys, and unencrypted Apple Notes records. LevelBlue states staged archives are uploaded via nohup curl to remote port 8443, while official exfiltration traffic has been reported on 104.145.210.107:6783. |
e008 |
domain | check02id.com |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e009 |
domain | uw04webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e010 |
domain | uw05webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e011 |
domain | uw03webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e012 |
domain | uv01webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e013 |
domain | uv03webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e014 |
domain | uv04webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e015 |
domain | ux06webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e016 |
domain | ur01webzoom.us |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign. LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge. |
e017 |
ip | 83.136.208.246 |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign. LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP. |
e018 |
ip | 83.136.209.22 |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign. LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP. |
e019 |
ip | 104.145.210.107 |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign. LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). LevelBlue specifically reports official exfiltration traffic on 104.145.210.107:6783; for the other IPs, the article lists them as campaign C2 IPs without per-port mapping. |
e020 |
ip | 83.136.208.48 |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign. LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP. |
e021 |
ip | 83.136.210.180 |
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign. LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration). The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP. |
ATT&CK annotations
optional complementary mappingTargeted social engineering via professional platforms such as LinkedIn, Telegram, email, or similar channels.
Victims are instructed to execute the fake Zoom SDK Update.scpt component.
The compiled AppleScript opens in macOS Script Editor and drives osascript/curl/shell execution.
The initial script uses curl to retrieve follow-on payloads/tools.
systemupdate.app launches a native-looking Mac Password Popup to harvest the login password.
TCC.db manipulation injects automation permissions for /usr/bin/osascript.
com.google.webkit.service.plist persists the icloudz backdoor.
Collected assets are archived into /tmp zip files and uploaded via curl.
The campaign uses web protocols and published C2 domains/IPs with operational ports for beaconing/upload/exfiltration.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "levelblue.2026.sapphire-sleet-macos-fake-zoom-update",
"title": "Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure",
"description": "IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.",
"actor_id": "BlueNoroff",
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"x_source": {
"title": "Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign",
"publisher": "LevelBlue SpiderLabs",
"author": "Maor Gabay",
"url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"published_at": "2026-05-28",
"accessed_at": "2026-05-30T00:00:00Z",
"source_type": "original vendor research report",
"source_policy": "Original LevelBlue SpiderLabs source only. Secondary summaries were not used for chain content."
},
"x_source_urls": [
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
],
"x_source_title": "Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure",
"x_source_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_resource_links_verified": [
{
"url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"status": "opened via web retrieval",
"verified_at": "2026-05-30T00:00:00Z",
"notes": "Verified title, publisher, publication date, author, kill-chain breakdown, file hashes, C2 domains, C2 IPs, operational ports, and forensic paths from the LevelBlue SpiderLabs article."
}
],
"x_iocs": {
"sha256": [
"2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419",
"05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53",
"5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7",
"5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5",
"95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63",
"8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c",
"a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640"
],
"domains": [
"check02id.com",
"uw04webzoom.us",
"uw05webzoom.us",
"uw03webzoom.us",
"uv01webzoom.us",
"uv03webzoom.us",
"uv04webzoom.us",
"ux06webzoom.us",
"ur01webzoom.us"
],
"ips": [
"83.136.208.246",
"83.136.209.22",
"104.145.210.107",
"83.136.208.48",
"83.136.210.180"
],
"files": [
"Zoom SDK Update.scpt",
"com.apple.cli",
"systemupdate.app / Mac Password Popup",
"softwareupdate.app / Mac Password Popup",
"com.google.webkit.service.plist",
"icloudz",
"com.google.chromes.updaters"
],
"ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
}
},
"x_limitations": [
"LevelBlue does not publish the exact recruiter/investor/business-partner account, meeting link, email, Telegram handle, or landing page that delivered the fake Zoom SDK update. The entry is therefore modeled at the fake update component level.",
"The report lists C2 domains and C2 IPs separately but does not publish raw DNS mappings between every domain and every IP. This chain avoids invented resolves-to edges.",
"The report states that uploads occur via nohup curl to remote port 8443 and that official exfiltration traffic has been reported on 104.145.210.107:6783. The 8443 upload destination is therefore modeled at the C2 infrastructure pool level rather than as a fabricated URL.",
"Host tradecraft such as Script Editor abuse, Finder/TCC.db manipulation, LaunchDaemon persistence and credential prompting is preserved as evidence and ATT&CK context. Only infrastructure-relevant artifacts are promoted to IIM nodes.",
"LevelBlue notes that original campaign infrastructure may have been partially mitigated after Microsoft shared findings with Apple. Indicators remain useful for historical/public-feed context, but live status is not asserted."
],
"entities": [
{
"id": "e001",
"type": "file",
"value": "Zoom SDK Update.scpt",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue states initial access relied on targeted social engineering against individuals in crypto/investment/Web3 and that victims were instructed to execute a fake Zoom SDK update component named Zoom SDK Update.scpt.",
"LevelBlue states the user-assisted execution opens the compiled AppleScript in macOS Script Editor and the flow proceeds Script Editor -> osascript -> curl -> shell.",
"LevelBlue IOC table lists /Users/<user>/Downloads/Zoom SDK Update.scpt with SHA-256 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_sha256": "2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419",
"x_distribution_lure": "fake video meeting / fake Zoom SDK update",
"x_exact_lure_url_published": false,
"x_chain_stage": "user_executed_fake_update"
},
{
"id": "e002",
"type": "file",
"value": "com.apple.cli profiling component",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue states the script initiates curl and osascript commands using task-specific User-Agents mac-cur1 through mac-cur5 and drops initial profiling tools such as com.apple.cli.",
"LevelBlue IOC table lists /Users/<user>/com.apple.cli with SHA-256 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_sha256": "05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53",
"x_user_agents": [
"mac-cur1",
"mac-cur2",
"mac-cur3",
"mac-cur4",
"mac-cur5"
],
"x_chain_stage": "initial_profiling_tool"
},
{
"id": "e003",
"type": "file",
"value": "systemupdate.app / Mac Password Popup credential harvester",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue states a fake application named systemupdate.app launches a native-looking Objective-C prompt called Mac Password Popup to harvest the user login password.",
"LevelBlue IOC table lists /private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c.",
"LevelBlue IOC table also lists /private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_sha256_primary": "8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c",
"x_sha256_alternate": "a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640",
"x_paths": [
"/private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup",
"/private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup"
],
"x_chain_stage": "credential_harvester_payload"
},
{
"id": "e004",
"type": "file",
"value": "/Library/LaunchDaemons/com.google.webkit.service.plist",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue states an administrative boot configuration is dropped into /Library/LaunchDaemons/com.google.webkit.service.plist to launch the backdoor component named icloudz at system startup.",
"LevelBlue IOC table lists com.google.webkit.service.plist with SHA-256 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_sha256": "95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63",
"x_path": "/Library/LaunchDaemons/com.google.webkit.service.plist",
"x_chain_stage": "persistence_staging"
},
{
"id": "e005",
"type": "file",
"value": "icloudz reflective backdoor component",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue states the LaunchDaemon starts a backdoor component named icloudz at system startup.",
"LevelBlue states icloudz uses NSCreateObjectFileImageFromMemory to reflectively load the core beacon agent com.google.chromes.updaters directly into memory.",
"LevelBlue IOC table lists /Users/<user>/Library/Services/services / icloudz with SHA-256 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_sha256": "5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7",
"x_forensic_path": "~/Library/Application Support/iCloud/icloudz according to LevelBlue strategic forensic paths",
"x_chain_stage": "reflective_loader_backdoor"
},
{
"id": "e006",
"type": "file",
"value": "com.google.chromes.updaters in-memory beacon agent",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue states icloudz reflectively loads the core beacon agent com.google.chromes.updaters directly into memory.",
"LevelBlue states the beacon communicates outbound every 60 seconds.",
"LevelBlue IOC table lists com.google.chromes.updaters with SHA-256 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_sha256": "5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5",
"x_beacon_interval_seconds": 60,
"x_chain_stage": "memory_beacon_agent"
},
{
"id": "e007",
"type": "file",
"value": "/tmp staged zip archives containing collected corporate and crypto assets",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue states the script profiles, archives into .zip files within the /tmp/ directory, and steals critical corporate data assets.",
"Targeted data described by LevelBlue includes cryptocurrency software wallets such as Exodus and Ledger Live, browser extension storage, Telegram session profiles, local SSH keys, and unencrypted Apple Notes records.",
"LevelBlue states staged archives are uploaded via nohup curl to remote port 8443, while official exfiltration traffic has been reported on 104.145.210.107:6783."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_local_path": "/tmp/*.zip",
"x_external_infrastructure": false,
"x_data_categories": [
"cryptocurrency wallets",
"browser extension storage",
"Telegram sessions",
"SSH keys",
"Apple Notes"
],
"x_chain_stage": "local_exfiltration_staging"
},
{
"id": "e008",
"type": "domain",
"value": "check02id.com",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e009",
"type": "domain",
"value": "uw04webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e010",
"type": "domain",
"value": "uw05webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e011",
"type": "domain",
"value": "uw03webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e012",
"type": "domain",
"value": "uv01webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e013",
"type": "domain",
"value": "uv03webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e014",
"type": "domain",
"value": "uv04webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e015",
"type": "domain",
"value": "ux06webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e016",
"type": "domain",
"value": "ur01webzoom.us",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
"LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_domain_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_dns_mapping_published": false,
"x_chain_stage": "c2_domain_pool"
},
{
"id": "e017",
"type": "ip",
"value": "83.136.208.246",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
"LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_ip_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_explicit_exfil_endpoint": false,
"x_chain_stage": "c2_ip_pool"
},
{
"id": "e018",
"type": "ip",
"value": "83.136.209.22",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
"LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_ip_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_explicit_exfil_endpoint": false,
"x_chain_stage": "c2_ip_pool"
},
{
"id": "e019",
"type": "ip",
"value": "104.145.210.107",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
"LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"LevelBlue specifically reports official exfiltration traffic on 104.145.210.107:6783; for the other IPs, the article lists them as campaign C2 IPs without per-port mapping."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_ip_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_explicit_exfil_endpoint": true,
"x_chain_stage": "c2_ip_pool"
},
{
"id": "e020",
"type": "ip",
"value": "83.136.208.48",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
"LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_ip_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_explicit_exfil_endpoint": false,
"x_chain_stage": "c2_ip_pool"
},
{
"id": "e021",
"type": "ip",
"value": "83.136.210.180",
"observed_at": "2026-05-28T00:00:00Z",
"source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
"evidence": [
"LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
"LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
"The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
],
"x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
"x_c2_ip_pool": true,
"x_ports": {
"443": "Telegram API",
"5202": "beacons",
"6783": "exfiltration",
"8443": "data staging/upload"
},
"x_explicit_exfil_endpoint": false,
"x_chain_stage": "c2_ip_pool"
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "First public executable artifact. The preceding lure account/link is not published by LevelBlue."
},
{
"entity_id": "e002",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Initial profiling component dropped by the AppleScript/curl chain."
},
{
"entity_id": "e003",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Credential-harvesting payload. Kept as payload because it is executable malware logic, not external infrastructure."
},
{
"entity_id": "e004",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Local persistence staging for the icloudz backdoor."
},
{
"entity_id": "e005",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e006",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e007",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Local exfiltration staging in /tmp before upload; not external infrastructure."
},
{
"entity_id": "e008",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e009",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e010",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e011",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e012",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e013",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e014",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e015",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e016",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
},
{
"entity_id": "e017",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
},
{
"entity_id": "e018",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
},
{
"entity_id": "e019",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
},
{
"entity_id": "e020",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
},
{
"entity_id": "e021",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "drops",
"sequence_order": 1,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue states Zoom SDK Update.scpt drives Script Editor -> osascript -> curl -> shell and drops initial profiling tools such as com.apple.cli.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e001",
"to": "e003",
"type": "drops",
"sequence_order": 2,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue states a fake systemupdate.app launches the Mac Password Popup credential harvester after the fake Zoom update execution chain.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e001",
"to": "e004",
"type": "drops",
"sequence_order": 3,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue states a LaunchDaemon plist is dropped at /Library/LaunchDaemons/com.google.webkit.service.plist for persistence.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e004",
"to": "e005",
"type": "execute",
"sequence_order": 4,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue states the LaunchDaemon launches the icloudz backdoor component at system startup.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e005",
"to": "e006",
"type": "execute",
"sequence_order": 5,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue states icloudz uses NSCreateObjectFileImageFromMemory to reflectively load com.google.chromes.updaters directly into memory.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e007",
"type": "drops",
"sequence_order": 6,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue states the script profiles and archives stolen data into .zip files within /tmp before upload.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e008",
"type": "connect",
"sequence_order": 7,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists check02id.com as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e009",
"type": "connect",
"sequence_order": 8,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists uw04webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e010",
"type": "connect",
"sequence_order": 9,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists uw05webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e011",
"type": "connect",
"sequence_order": 10,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists uw03webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e012",
"type": "connect",
"sequence_order": 11,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists uv01webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e013",
"type": "connect",
"sequence_order": 12,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists uv03webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e014",
"type": "connect",
"sequence_order": 13,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists uv04webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e015",
"type": "connect",
"sequence_order": 14,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists ux06webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e016",
"type": "connect",
"sequence_order": 15,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists ur01webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e017",
"type": "connect",
"sequence_order": 16,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists 83.136.208.246 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e018",
"type": "connect",
"sequence_order": 17,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists 83.136.209.22 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e019",
"type": "connect",
"sequence_order": 18,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists 104.145.210.107 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e020",
"type": "connect",
"sequence_order": 19,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists 83.136.208.48 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e006",
"to": "e021",
"type": "connect",
"sequence_order": 20,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue lists 83.136.210.180 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
},
{
"from": "e007",
"to": "e019",
"type": "communicates-with",
"sequence_order": 21,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"LevelBlue states staged /tmp zip archives are uploaded via nohup curl to remote port 8443 and that official exfiltration traffic has been reported on 104.145.210.107:6783.",
"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
]
}
],
"attack_annotations": [
{
"technique_id": "T1566",
"name": "Phishing",
"tactic": "Initial Access",
"comment": "Targeted social engineering via professional platforms such as LinkedIn, Telegram, email, or similar channels."
},
{
"technique_id": "T1204.002",
"name": "User Execution: Malicious File",
"tactic": "Execution",
"comment": "Victims are instructed to execute the fake Zoom SDK Update.scpt component."
},
{
"technique_id": "T1059.002",
"name": "Command and Scripting Interpreter: AppleScript",
"tactic": "Execution",
"comment": "The compiled AppleScript opens in macOS Script Editor and drives osascript/curl/shell execution."
},
{
"technique_id": "T1105",
"name": "Ingress Tool Transfer",
"tactic": "Command and Control",
"comment": "The initial script uses curl to retrieve follow-on payloads/tools."
},
{
"technique_id": "T1555",
"name": "Credentials from Password Stores",
"tactic": "Credential Access",
"comment": "systemupdate.app launches a native-looking Mac Password Popup to harvest the login password."
},
{
"technique_id": "T1562.001",
"name": "Impair Defenses: Disable or Modify Tools",
"tactic": "Defense Evasion",
"comment": "TCC.db manipulation injects automation permissions for /usr/bin/osascript."
},
{
"technique_id": "T1543.004",
"name": "Create or Modify System Process: Launch Daemon",
"tactic": "Persistence",
"comment": "com.google.webkit.service.plist persists the icloudz backdoor."
},
{
"technique_id": "T1020",
"name": "Automated Exfiltration",
"tactic": "Exfiltration",
"comment": "Collected assets are archived into /tmp zip files and uploaded via curl."
},
{
"technique_id": "T1071.001",
"name": "Application Layer Protocol: Web Protocols",
"tactic": "Command and Control",
"comment": "The campaign uses web protocols and published C2 domains/IPs with operational ports for beaconing/upload/exfiltration."
}
]
}