North Korea Deploys ClickFix Malware to Harvest macOS Credentials

ClickFix malware, traced to a North Korean hacking outfit, is now targeting macOS workstations through a blend of bogus employment ads and counterfeit Zoom update prompts.

How ClickFix infiltrates Mac devices

Victims receive a polished email promising a high‑pay job or urging them to install a “critical” Zoom security patch. The attached installer carries the ClickFix payload, which silently harvests saved passwords, corporate VPN tokens, and other sensitive files.

“The sophistication of the lure rivals commercial phishing kits,” says a senior analyst at Reuters.

Security researchers note that fewer than ↓ 40% of Mac users apply updates from unofficial sources, amplifying the threat’s reach.

Attribution to Sapphire Sleet

The campaign bears the hallmark of the group known as Sapphire Sleet, long suspected of operating under North Korean direction. Recent findings published by Bloomberg link the fake job listings to servers in Pyongyang.

Enterprises are urged to enforce strict code‑signing policies and to educate staff about the perils of unsolicited software bundles.