icloudz
icloudz is a macOS backdoor used in a social-engineering campaign attributed by Microsoft to the North Korean threat actor Sapphire Sleet, also known as APT38 and described in the reporting as linked to Lazarus. The campaign targeted macOS users, particularly in finance-, cryptocurrency-, venture capital-, and blockchain-related contexts, using fake recruiter personas and counterfeit Zoom interview/support lures to convince victims to open a malicious AppleScript file named "Zoom SDK Update.scpt." Within this intrusion chain, icloudz was deployed as a backdoor named to mimic a legitimate iCloud-related artifact. Its key documented capability is loading additional payloads directly into memory via the macOS NSCreateObjectFileImageFromMemory API, enabling further in-memory delivery and execution of attacker-controlled code. Reporting also states that icloudz was a renamed copy of the previously deployed "services" backdoor and shared the same SHA-256 hash, indicating identical underlying code. In the broader campaign, associated malware and payload stages performed orchestration, persistence, reconnaissance, TCC bypass, credential theft, and exfiltration of sensitive data including credentials, cryptocurrency wallet data, browser data, keychains, Apple Notes, Telegram data, SSH keys, and system information. High-confidence related artifacts and behaviors mentioned alongside icloudz include the lure file "Zoom SDK Update.scpt," abuse of legitimate macOS utilities such as softwareupdate, curl, and osascript, and Apple-like naming conventions used to disguise malicious components.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Aside from deploying a credential stealer that exfiltrates data via Telegram Bot API, the campaign also involved the icloudz backdoor that enabled further in-memory delivery of additional payloads.
Additionally, one of the backdoors used in this campaign - icloudz - is named to mimic a legitimate iCloud‑related artifact, and also uses the macOS NSCreateObjectFileImageFromMemory API to load additional payloads directly into memory.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 techniqueTo ensure continued execution across reboots, a launch daemon configuration file named com.google.webkit.service.plist is installed under /Library/LaunchDaemons . This configuration causes icloudz to launch automatically at system startup, even if no user is signed in.
Privilege Escalation
1 techniqueTo ensure continued execution across reboots, a launch daemon configuration file named com.google.webkit.service.plist is installed under /Library/LaunchDaemons . This configuration causes icloudz to launch automatically at system startup, even if no user is signed in.
Stealth
2 techniquesIt's a compiled AppleScript that opens in macOS Script Editor by default and looks like a legitimate Zoom SDK update... Each stage of the campaign also abuses native Apple tools or mimics Apple naming conventions to disguise the illicit activity.
Additionally, one of the backdoors used in this campaign - icloudz - is named to mimic a legitimate iCloud-related artifact, and also uses the macOS NSCreateObjectFileImageFromMemory API to load additional payloads directly into memory.
Command and Control
3 techniquesEach curl user agent fetches a different piece of malware that serves its own purpose in the attack chain, from orchestration and backdooring victims' machines, to reconnaissance and registering the compromised system with Sapphire Sleet's command-and-control (C2) infrastructure.
During execution, com.apple.cli performs host reconnaissance while maintaining repeated outbound connectivity to the threat actor-controlled C2 endpoint 83.136.208[.]246:6783.
the script proceeds to use curl to run a malicious payload retrieving another attacker-controlled script
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor used in the campaign to provide further in-memory delivery of additional payloads on macOS systems.
A renamed copy of services used as an in-memory reflective loader. It receives payloads from C2 and loads them directly into memory using NSCreateObjectFileImageFromMemory, then helps deploy further backdoor components.
A macOS backdoor used in Sapphire Sleet's campaign, disguised with an iCloud-like name and capable of loading additional payloads directly into memory.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.