TLP:WHITE15 IOCs

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Threat Intelligence

Published April 16, 2026Original Report

Diamond Model

Adversary

Infrastructure(6)

Capability(1)

Victim

Initial AccessTA0001·T1566

1/7

Phishing

ActionTrick users with fake update

Threat actors impersonate a legitimate software update to trick users into manually running malicious files.

Analysis unavailable

Type	Indicator	Confidence	Score	First Seen
Domain	check02id.com c2intel-blogmalware	High	58	Jun 2, 26
IP	83.136.210.180 intel-blogmalwarenetwork	High	58	Jun 2, 26
SHA256	5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5 file-hashintel-blogmalware	Medium	53	Jun 2, 26
IP	83.136.209.22 intel-blogmalwarenetwork	High	58	Jun 2, 26
IP	188.227.196.252 intel-blogmalwarenetwork	High	58	Jun 2, 26
SHA256	8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640 file-hashintel-blogmalware	Medium	53	Jun 2, 26
IP	83.136.208.246 exfiltrationexploitintel-blog	High	58	Jun 2, 26
IP	104.145.210.107 intel-blogmalwarenetwork	High	58	Jun 2, 26
IP	83.136.208.48 intel-blogmalwarenetwork	High	58	Jun 2, 26
Domain	uw04webzoom.us intel-blogmalwarenetwork	High	58	Jun 2, 26
SHA256	95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63 file-hashintel-blogmalware	Medium	53	Jun 2, 26

IOC Relationship Graph15 total IOCs

DomainIPSHA256

scroll to zoom · drag to pan · click IOC to open