← feed

levelblue.2026.sapphire-sleet-macos-fake-zoom-update

Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure

IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.

confirmed IIM v1.1 BlueNoroff
Raw JSON
entities21
relations21
techniques1
published2026-05-30 11:17:36

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

file

Zoom SDK Update.scpt

2
payload

file

com.apple.cli profiling component

3
payload

file

systemupdate.app / Mac Password Popup credential harvester

4
staging

file

/Library/LaunchDaemons/com.google.webkit.service.plist

5
payload

file

icloudz reflective backdoor component

6
payload

file

com.google.chromes.updaters in-memory beacon agent

7
staging

file

/tmp staged zip archives containing collected corporate and crypto assets

8
c2

domain

check02id.com

IIM-T011
9
c2

domain

uw04webzoom.us

IIM-T011
10
c2

domain

uw05webzoom.us

IIM-T011
11
c2

domain

uw03webzoom.us

IIM-T011
12
c2

domain

uv01webzoom.us

IIM-T011
13
c2

domain

uv03webzoom.us

IIM-T011
14
c2

domain

uv04webzoom.us

IIM-T011
15
c2

domain

ux06webzoom.us

IIM-T011
16
c2

domain

ur01webzoom.us

IIM-T011
17
c2

ip

83.136.208.246

18
c2

ip

83.136.209.22

19
c2

ip

104.145.210.107

20
c2

ip

83.136.208.48

21
c2

ip

83.136.210.180

Relations

directed infrastructure edges
e001dropse002 confirmed
e001dropse003 confirmed
e001dropse004 confirmed
e004executee005 confirmed
e005executee006 confirmed
e006dropse007 confirmed
e006connecte008 confirmed
e006connecte009 confirmed
e006connecte010 confirmed
e006connecte011 confirmed
e006connecte012 confirmed
e006connecte013 confirmed
e006connecte014 confirmed
e006connecte015 confirmed
e006connecte016 confirmed
e006connecte017 confirmed
e006connecte018 confirmed
e006connecte019 confirmed
e006connecte020 confirmed
e006connecte021 confirmed
e007communicates-withe019 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 file Zoom SDK Update.scpt
LevelBlue states initial access relied on targeted social engineering against individuals in crypto/investment/Web3 and that victims were instructed to execute a fake Zoom SDK update component named Zoom SDK Update.scpt.
LevelBlue states the user-assisted execution opens the compiled AppleScript in macOS Script Editor and the flow proceeds Script Editor -> osascript -> curl -> shell.
LevelBlue IOC table lists /Users/<user>/Downloads/Zoom SDK Update.scpt with SHA-256 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419.
e002 file com.apple.cli profiling component
LevelBlue states the script initiates curl and osascript commands using task-specific User-Agents mac-cur1 through mac-cur5 and drops initial profiling tools such as com.apple.cli.
LevelBlue IOC table lists /Users/<user>/com.apple.cli with SHA-256 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53.
e003 file systemupdate.app / Mac Password Popup credential harvester
LevelBlue states a fake application named systemupdate.app launches a native-looking Objective-C prompt called Mac Password Popup to harvest the user login password.
LevelBlue IOC table lists /private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c.
LevelBlue IOC table also lists /private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640.
e004 file /Library/LaunchDaemons/com.google.webkit.service.plist
LevelBlue states an administrative boot configuration is dropped into /Library/LaunchDaemons/com.google.webkit.service.plist to launch the backdoor component named icloudz at system startup.
LevelBlue IOC table lists com.google.webkit.service.plist with SHA-256 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63.
e005 file icloudz reflective backdoor component
LevelBlue states the LaunchDaemon starts a backdoor component named icloudz at system startup.
LevelBlue states icloudz uses NSCreateObjectFileImageFromMemory to reflectively load the core beacon agent com.google.chromes.updaters directly into memory.
LevelBlue IOC table lists /Users/<user>/Library/Services/services / icloudz with SHA-256 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7.
e006 file com.google.chromes.updaters in-memory beacon agent
LevelBlue states icloudz reflectively loads the core beacon agent com.google.chromes.updaters directly into memory.
LevelBlue states the beacon communicates outbound every 60 seconds.
LevelBlue IOC table lists com.google.chromes.updaters with SHA-256 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5.
e007 file /tmp staged zip archives containing collected corporate and crypto assets
LevelBlue states the script profiles, archives into .zip files within the /tmp/ directory, and steals critical corporate data assets.
Targeted data described by LevelBlue includes cryptocurrency software wallets such as Exodus and Ledger Live, browser extension storage, Telegram session profiles, local SSH keys, and unencrypted Apple Notes records.
LevelBlue states staged archives are uploaded via nohup curl to remote port 8443, while official exfiltration traffic has been reported on 104.145.210.107:6783.
e008 domain check02id.com
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e009 domain uw04webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e010 domain uw05webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e011 domain uw03webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e012 domain uv01webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e013 domain uv03webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e014 domain uv04webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e015 domain ux06webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e016 domain ur01webzoom.us
LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.
LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge.
e017 ip 83.136.208.246
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.
LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP.
e018 ip 83.136.209.22
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.
LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP.
e019 ip 104.145.210.107
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.
LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
LevelBlue specifically reports official exfiltration traffic on 104.145.210.107:6783; for the other IPs, the article lists them as campaign C2 IPs without per-port mapping.
e020 ip 83.136.208.48
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.
LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP.
e021 ip 83.136.210.180
LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.
LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).
The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP.

ATT&CK annotations

optional complementary mapping
T1566Phishing

Targeted social engineering via professional platforms such as LinkedIn, Telegram, email, or similar channels.

T1204.002User Execution: Malicious File

Victims are instructed to execute the fake Zoom SDK Update.scpt component.

T1059.002Command and Scripting Interpreter: AppleScript

The compiled AppleScript opens in macOS Script Editor and drives osascript/curl/shell execution.

T1105Ingress Tool Transfer

The initial script uses curl to retrieve follow-on payloads/tools.

T1555Credentials from Password Stores

systemupdate.app launches a native-looking Mac Password Popup to harvest the login password.

T1562.001Impair Defenses: Disable or Modify Tools

TCC.db manipulation injects automation permissions for /usr/bin/osascript.

T1543.004Create or Modify System Process: Launch Daemon

com.google.webkit.service.plist persists the icloudz backdoor.

T1020Automated Exfiltration

Collected assets are archived into /tmp zip files and uploaded via curl.

T1071.001Application Layer Protocol: Web Protocols

The campaign uses web protocols and published C2 domains/IPs with operational ports for beaconing/upload/exfiltration.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "levelblue.2026.sapphire-sleet-macos-fake-zoom-update",
  "title": "Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure",
  "description": "IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.",
  "actor_id": "BlueNoroff",
  "observed_at": "2026-05-28T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_source": {
    "title": "Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign",
    "publisher": "LevelBlue SpiderLabs",
    "author": "Maor Gabay",
    "url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
    "published_at": "2026-05-28",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "original vendor research report",
    "source_policy": "Original LevelBlue SpiderLabs source only. Secondary summaries were not used for chain content."
  },
  "x_source_urls": [
    "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
  ],
  "x_source_title": "Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure",
  "x_source_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
  "x_resource_links_verified": [
    {
      "url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-30T00:00:00Z",
      "notes": "Verified title, publisher, publication date, author, kill-chain breakdown, file hashes, C2 domains, C2 IPs, operational ports, and forensic paths from the LevelBlue SpiderLabs article."
    }
  ],
  "x_iocs": {
    "sha256": [
      "2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419",
      "05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53",
      "5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7",
      "5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5",
      "95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63",
      "8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c",
      "a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640"
    ],
    "domains": [
      "check02id.com",
      "uw04webzoom.us",
      "uw05webzoom.us",
      "uw03webzoom.us",
      "uv01webzoom.us",
      "uv03webzoom.us",
      "uv04webzoom.us",
      "ux06webzoom.us",
      "ur01webzoom.us"
    ],
    "ips": [
      "83.136.208.246",
      "83.136.209.22",
      "104.145.210.107",
      "83.136.208.48",
      "83.136.210.180"
    ],
    "files": [
      "Zoom SDK Update.scpt",
      "com.apple.cli",
      "systemupdate.app / Mac Password Popup",
      "softwareupdate.app / Mac Password Popup",
      "com.google.webkit.service.plist",
      "icloudz",
      "com.google.chromes.updaters"
    ],
    "ports": {
      "443": "Telegram API",
      "5202": "beacons",
      "6783": "exfiltration",
      "8443": "data staging/upload"
    }
  },
  "x_limitations": [
    "LevelBlue does not publish the exact recruiter/investor/business-partner account, meeting link, email, Telegram handle, or landing page that delivered the fake Zoom SDK update. The entry is therefore modeled at the fake update component level.",
    "The report lists C2 domains and C2 IPs separately but does not publish raw DNS mappings between every domain and every IP. This chain avoids invented resolves-to edges.",
    "The report states that uploads occur via nohup curl to remote port 8443 and that official exfiltration traffic has been reported on 104.145.210.107:6783. The 8443 upload destination is therefore modeled at the C2 infrastructure pool level rather than as a fabricated URL.",
    "Host tradecraft such as Script Editor abuse, Finder/TCC.db manipulation, LaunchDaemon persistence and credential prompting is preserved as evidence and ATT&CK context. Only infrastructure-relevant artifacts are promoted to IIM nodes.",
    "LevelBlue notes that original campaign infrastructure may have been partially mitigated after Microsoft shared findings with Apple. Indicators remain useful for historical/public-feed context, but live status is not asserted."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "Zoom SDK Update.scpt",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue states initial access relied on targeted social engineering against individuals in crypto/investment/Web3 and that victims were instructed to execute a fake Zoom SDK update component named Zoom SDK Update.scpt.",
        "LevelBlue states the user-assisted execution opens the compiled AppleScript in macOS Script Editor and the flow proceeds Script Editor -> osascript -> curl -> shell.",
        "LevelBlue IOC table lists /Users/<user>/Downloads/Zoom SDK Update.scpt with SHA-256 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_sha256": "2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419",
      "x_distribution_lure": "fake video meeting / fake Zoom SDK update",
      "x_exact_lure_url_published": false,
      "x_chain_stage": "user_executed_fake_update"
    },
    {
      "id": "e002",
      "type": "file",
      "value": "com.apple.cli profiling component",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue states the script initiates curl and osascript commands using task-specific User-Agents mac-cur1 through mac-cur5 and drops initial profiling tools such as com.apple.cli.",
        "LevelBlue IOC table lists /Users/<user>/com.apple.cli with SHA-256 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_sha256": "05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53",
      "x_user_agents": [
        "mac-cur1",
        "mac-cur2",
        "mac-cur3",
        "mac-cur4",
        "mac-cur5"
      ],
      "x_chain_stage": "initial_profiling_tool"
    },
    {
      "id": "e003",
      "type": "file",
      "value": "systemupdate.app / Mac Password Popup credential harvester",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue states a fake application named systemupdate.app launches a native-looking Objective-C prompt called Mac Password Popup to harvest the user login password.",
        "LevelBlue IOC table lists /private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c.",
        "LevelBlue IOC table also lists /private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup with SHA-256 a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_sha256_primary": "8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c",
      "x_sha256_alternate": "a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640",
      "x_paths": [
        "/private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup",
        "/private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup"
      ],
      "x_chain_stage": "credential_harvester_payload"
    },
    {
      "id": "e004",
      "type": "file",
      "value": "/Library/LaunchDaemons/com.google.webkit.service.plist",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue states an administrative boot configuration is dropped into /Library/LaunchDaemons/com.google.webkit.service.plist to launch the backdoor component named icloudz at system startup.",
        "LevelBlue IOC table lists com.google.webkit.service.plist with SHA-256 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_sha256": "95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63",
      "x_path": "/Library/LaunchDaemons/com.google.webkit.service.plist",
      "x_chain_stage": "persistence_staging"
    },
    {
      "id": "e005",
      "type": "file",
      "value": "icloudz reflective backdoor component",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue states the LaunchDaemon starts a backdoor component named icloudz at system startup.",
        "LevelBlue states icloudz uses NSCreateObjectFileImageFromMemory to reflectively load the core beacon agent com.google.chromes.updaters directly into memory.",
        "LevelBlue IOC table lists /Users/<user>/Library/Services/services / icloudz with SHA-256 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_sha256": "5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7",
      "x_forensic_path": "~/Library/Application Support/iCloud/icloudz according to LevelBlue strategic forensic paths",
      "x_chain_stage": "reflective_loader_backdoor"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "com.google.chromes.updaters in-memory beacon agent",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue states icloudz reflectively loads the core beacon agent com.google.chromes.updaters directly into memory.",
        "LevelBlue states the beacon communicates outbound every 60 seconds.",
        "LevelBlue IOC table lists com.google.chromes.updaters with SHA-256 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_sha256": "5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5",
      "x_beacon_interval_seconds": 60,
      "x_chain_stage": "memory_beacon_agent"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "/tmp staged zip archives containing collected corporate and crypto assets",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue states the script profiles, archives into .zip files within the /tmp/ directory, and steals critical corporate data assets.",
        "Targeted data described by LevelBlue includes cryptocurrency software wallets such as Exodus and Ledger Live, browser extension storage, Telegram session profiles, local SSH keys, and unencrypted Apple Notes records.",
        "LevelBlue states staged archives are uploaded via nohup curl to remote port 8443, while official exfiltration traffic has been reported on 104.145.210.107:6783."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_local_path": "/tmp/*.zip",
      "x_external_infrastructure": false,
      "x_data_categories": [
        "cryptocurrency wallets",
        "browser extension storage",
        "Telegram sessions",
        "SSH keys",
        "Apple Notes"
      ],
      "x_chain_stage": "local_exfiltration_staging"
    },
    {
      "id": "e008",
      "type": "domain",
      "value": "check02id.com",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e009",
      "type": "domain",
      "value": "uw04webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e010",
      "type": "domain",
      "value": "uw05webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e011",
      "type": "domain",
      "value": "uw03webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e012",
      "type": "domain",
      "value": "uv01webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e013",
      "type": "domain",
      "value": "uv03webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e014",
      "type": "domain",
      "value": "uv04webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e015",
      "type": "domain",
      "value": "ux06webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e016",
      "type": "domain",
      "value": "ur01webzoom.us",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 Domain for the Sapphire Sleet macOS campaign.",
        "LevelBlue also lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "No per-domain DNS-to-IP mapping is published in the article, so this domain is modeled without a fabricated resolves-to edge."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_domain_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_dns_mapping_published": false,
      "x_chain_stage": "c2_domain_pool"
    },
    {
      "id": "e017",
      "type": "ip",
      "value": "83.136.208.246",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
        "LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_ip_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_explicit_exfil_endpoint": false,
      "x_chain_stage": "c2_ip_pool"
    },
    {
      "id": "e018",
      "type": "ip",
      "value": "83.136.209.22",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
        "LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_ip_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_explicit_exfil_endpoint": false,
      "x_chain_stage": "c2_ip_pool"
    },
    {
      "id": "e019",
      "type": "ip",
      "value": "104.145.210.107",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
        "LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "LevelBlue specifically reports official exfiltration traffic on 104.145.210.107:6783; for the other IPs, the article lists them as campaign C2 IPs without per-port mapping."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_ip_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_explicit_exfil_endpoint": true,
      "x_chain_stage": "c2_ip_pool"
    },
    {
      "id": "e020",
      "type": "ip",
      "value": "83.136.208.48",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
        "LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_ip_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_explicit_exfil_endpoint": false,
      "x_chain_stage": "c2_ip_pool"
    },
    {
      "id": "e021",
      "type": "ip",
      "value": "83.136.210.180",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "LevelBlue SpiderLabs: Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (2026-05-28)",
      "evidence": [
        "LevelBlue Network & Infrastructure Channels section lists this value as a C2 IP for the Sapphire Sleet macOS campaign.",
        "LevelBlue lists operational ports 443 (Telegram API), 5202 (Beacons), 8443 (Data Staging/Upload), and 6783 (Exfiltration).",
        "The article lists this IP as campaign C2 infrastructure but does not publish a per-domain or per-port mapping for this specific IP."
      ],
      "x_reference_url": "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign",
      "x_c2_ip_pool": true,
      "x_ports": {
        "443": "Telegram API",
        "5202": "beacons",
        "6783": "exfiltration",
        "8443": "data staging/upload"
      },
      "x_explicit_exfil_endpoint": false,
      "x_chain_stage": "c2_ip_pool"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "First public executable artifact. The preceding lure account/link is not published by LevelBlue."
    },
    {
      "entity_id": "e002",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Initial profiling component dropped by the AppleScript/curl chain."
    },
    {
      "entity_id": "e003",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Credential-harvesting payload. Kept as payload because it is executable malware logic, not external infrastructure."
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Local persistence staging for the icloudz backdoor."
    },
    {
      "entity_id": "e005",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e006",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Local exfiltration staging in /tmp before upload; not external infrastructure."
    },
    {
      "entity_id": "e008",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e009",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e014",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e015",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e016",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 domain pool/domain rotation. No DNS mapping edge is invented."
    },
    {
      "entity_id": "e017",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
    },
    {
      "entity_id": "e018",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
    },
    {
      "entity_id": "e019",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
    },
    {
      "entity_id": "e020",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
    },
    {
      "entity_id": "e021",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Part of LevelBlue-published C2 IP pool. Per-domain mappings are not published."
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "drops",
      "sequence_order": 1,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue states Zoom SDK Update.scpt drives Script Editor -> osascript -> curl -> shell and drops initial profiling tools such as com.apple.cli.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e001",
      "to": "e003",
      "type": "drops",
      "sequence_order": 2,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue states a fake systemupdate.app launches the Mac Password Popup credential harvester after the fake Zoom update execution chain.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e001",
      "to": "e004",
      "type": "drops",
      "sequence_order": 3,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue states a LaunchDaemon plist is dropped at /Library/LaunchDaemons/com.google.webkit.service.plist for persistence.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e004",
      "to": "e005",
      "type": "execute",
      "sequence_order": 4,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue states the LaunchDaemon launches the icloudz backdoor component at system startup.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "execute",
      "sequence_order": 5,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue states icloudz uses NSCreateObjectFileImageFromMemory to reflectively load com.google.chromes.updaters directly into memory.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "drops",
      "sequence_order": 6,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue states the script profiles and archives stolen data into .zip files within /tmp before upload.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "connect",
      "sequence_order": 7,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists check02id.com as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e009",
      "type": "connect",
      "sequence_order": 8,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists uw04webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e010",
      "type": "connect",
      "sequence_order": 9,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists uw05webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e011",
      "type": "connect",
      "sequence_order": 10,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists uw03webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e012",
      "type": "connect",
      "sequence_order": 11,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists uv01webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e013",
      "type": "connect",
      "sequence_order": 12,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists uv03webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e014",
      "type": "connect",
      "sequence_order": 13,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists uv04webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e015",
      "type": "connect",
      "sequence_order": 14,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists ux06webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e016",
      "type": "connect",
      "sequence_order": 15,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists ur01webzoom.us as a C2 Domain for this campaign and states the in-memory beacon communicates outbound every 60 seconds.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e017",
      "type": "connect",
      "sequence_order": 16,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists 83.136.208.246 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e018",
      "type": "connect",
      "sequence_order": 17,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists 83.136.209.22 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e019",
      "type": "connect",
      "sequence_order": 18,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists 104.145.210.107 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e020",
      "type": "connect",
      "sequence_order": 19,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists 83.136.208.48 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e006",
      "to": "e021",
      "type": "connect",
      "sequence_order": 20,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue lists 83.136.210.180 as a C2 IP for this campaign; operational ports include 5202 for beacons plus upload/exfil ports 8443/6783.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    },
    {
      "from": "e007",
      "to": "e019",
      "type": "communicates-with",
      "sequence_order": 21,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "LevelBlue states staged /tmp zip archives are uploaded via nohup curl to remote port 8443 and that official exfiltration traffic has been reported on 104.145.210.107:6783.",
        "https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566",
      "name": "Phishing",
      "tactic": "Initial Access",
      "comment": "Targeted social engineering via professional platforms such as LinkedIn, Telegram, email, or similar channels."
    },
    {
      "technique_id": "T1204.002",
      "name": "User Execution: Malicious File",
      "tactic": "Execution",
      "comment": "Victims are instructed to execute the fake Zoom SDK Update.scpt component."
    },
    {
      "technique_id": "T1059.002",
      "name": "Command and Scripting Interpreter: AppleScript",
      "tactic": "Execution",
      "comment": "The compiled AppleScript opens in macOS Script Editor and drives osascript/curl/shell execution."
    },
    {
      "technique_id": "T1105",
      "name": "Ingress Tool Transfer",
      "tactic": "Command and Control",
      "comment": "The initial script uses curl to retrieve follow-on payloads/tools."
    },
    {
      "technique_id": "T1555",
      "name": "Credentials from Password Stores",
      "tactic": "Credential Access",
      "comment": "systemupdate.app launches a native-looking Mac Password Popup to harvest the login password."
    },
    {
      "technique_id": "T1562.001",
      "name": "Impair Defenses: Disable or Modify Tools",
      "tactic": "Defense Evasion",
      "comment": "TCC.db manipulation injects automation permissions for /usr/bin/osascript."
    },
    {
      "technique_id": "T1543.004",
      "name": "Create or Modify System Process: Launch Daemon",
      "tactic": "Persistence",
      "comment": "com.google.webkit.service.plist persists the icloudz backdoor."
    },
    {
      "technique_id": "T1020",
      "name": "Automated Exfiltration",
      "tactic": "Exfiltration",
      "comment": "Collected assets are archived into /tmp zip files and uploaded via curl."
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control",
      "comment": "The campaign uses web protocols and published C2 domains/IPs with operational ports for beaconing/upload/exfiltration."
    }
  ]
}