Introduction

Darktrace’s Threat Research team is publishing this analysis to help defenders understand an active pattern of macOS tradecraft observed in multiple customer environments. This post summarizes the behaviors observed, how they were assessed, and what defenders can do now.

Across multiple environments, Darktrace observed a consistent MacOS intrusion pattern beginning with ClickFix-style user-assisted “update” execution and transitioning into AppleScript-driven post-compromise activity and sustained outbound signaling.

While individual indicators were low-confidence, the repeated convergence of weak behavioral signals — including HTTP POST beaconing, rare or IP-only destinations, SSL anomalies, and abnormal client characteristics — provided a defensible indication of command-and-control establishment Darktrace detection and response in these cases was driven by behavior over artifacts. In the highest-confidence instances, automated containment disrupted outbound signaling before sustained tasking could occur.

Background

ClickFix-style activity typically relies on user-assisted execution and plausible “update” pretexting, followed by post-execution use of native tools to keep the footprint light. In MacOS environments, AppleScript and other built-in scripting mechanisms enable flexible post-compromise workflows while minimizing stable file-based indicators.

Following execution, affected devices exhibited a consistent behavioral pattern. AppleScript or equivalent native scripting activity was observed initiating follow-on workflows, after which outbound communications began to establish a structured rhythm.

These communications were characterized by repeated HTTP POST requests to low-prevalence or IP-only endpoints, often combined with unusual SSL properties and client identifiers that diverged from baseline device behavior. Individually, these signals were weak. When correlated across time and devices, they formed a pattern consistent with control establishment rather than benign software activity.

In higher-confidence cases, Autonomous Response actions were able to reduce or halt outbound signaling, interrupting the attacker’s ability to maintain control.

Detection Timeline

In representative cases, the sequence unfolded as follows:

Stage 1 – Initial Execution

Initial activity began with suspicious or masqueraded execution on a MacOS endpoint, consistent with ClickFix-style user deception.

Stage 2 – Post-Execution Scripting

This was followed closely by native scripting activity, most commonly AppleScript, indicating the transition into post-execution workflow.

Stage 3 – Outbound Communications

Outbound communications then emerged, initially sporadic but quickly forming a consistent cadence of HTTP POST requests to rare external endpoints.

Stage 4 – Anomaly Convergence

As activity persisted, additional anomalies became visible — unusual SSL characteristics, abnormal user agents, and connections to infrastructure with no prior network prevalence.

Stage 5 – Autonomous Response

In the most mature stages of the activity, automated containment actions disrupted outbound communications on affected devices, limiting the attacker’s ability to continue tasking while investigations progressed.

Darktrace coverage and detections

The following use-case highlights systems likely affected by malicious macOS intrusion activity linked by Microsoft to the Democratic People’s Republic of Korea (DPRK) [1], with indications of suspicious behavior observed between March 1 and May 3, 2026. The activity overlaps with patterns described in recent reporting on DPRK-nexus MacOS intrusions [1], though attribution confidence in this case remains moderate and based on behavioral alignment rather than solely infrastructure linkage.

Analyst confidence emerged through the correlation of multiple weak signals across time and devices. This included model coverage for rare external communications, sustained beaconing patterns, repeated HTTP POSTs, and anomalous client characteristics. Where enabled, Autonomous Response actions disrupted the most active outbound paths to reduce the attacker’s ability to maintain control while Darktrace’s investigation continued.

Notably, this highly anomalous behavior included:

• Outbound connections to the rare external endpoint, zoom[.]uswebob[.]us associated with IP address, 148.72.73[.]98 [2][3] over port 443
• Outbound connections to the rare external endpoint, check02id[.]com associated with IP address, 83.136.210[.]180 [4] over port 7365
• Outbound connections to the rare external endpoints, 104.145.210[.]107 [5] over port 8443 and 83.136.208[.]48 [6] over port 443
• Outbound connections to the rare external endpoint, 83.136.208[.]246 [7] over port 6783 with observed URI `/api/daemon` and a PowerShell user agent

Darktrace’s detection initially highlighted a desktop device (running MacOS) engaging in anomalous behavior as early as March 12, 2026. Starting on March 12, the source device triggered a ‘Possible Doppelganger Attack’ alert including connectivity to the hostname "zoom[.]uswebob[.]us · 148.72.73[.]98" over port 443 (TCP, HTTPS, H2). This model highlights a device connecting to a location that is rare but masquerades as legitimate software, such as Zoom in this case, a commonly used technique to blend into expected traffic [2] [3].

This was followed roughly seven later by a connection to 104.145.210[.]107 over port 8443, during which approximately 250 KiB of data of inbound data and 30 MiB of outbound data was observed, triggering the ‘Unusual Activity / Unusual External Data to New Endpoint’ in Darktrace.

Quickly after this connection, Darktrace’s Autonomous Response intervened, blocking the device’s access to the unusual external location and halting the data exfiltration attempt.

The device continued to consistently trigger model alerts relating to unusual external connectivity, including 'Posting HTTP to IP Without Hostname', 'Anomalous Connection / Rare External SSL Self-Signed' alerts, until well after 3 PM that day.

From March 13 to March 28, the device continued exhibit unusual connectivity to various endpoints (e.g., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180), with the 'Multiple HTTP POSTs to Rare Hostname' model consistently triggering.

Windows OS Case

Pivoting over to an additional device, this time running Windows OS, anomalous behavior was also observed between March 30 and April 20. Notably, on March 30, the device was observed making a large number of suspicious external connection attempts to 83.136.208[.]246 over port 6783, all of which failed.

A further indicator was observed on April 1 with PowerShell connectivity to the same rare endpoint (83.136.208[.]246, port 6783), using the URI '/api/daemon' and the user agent 'Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920'.  Additional alerts included 'New User Agent to IP Without Hostname' and 'Anomalous Github Download', alongside activity involving the same endpoint.

The device continued triggering 'Posting HTTP to IP Without Hostname' & 'PowerShell to External Rare' alerts between April 4 and April 20 across multiple related endpoints (i.e., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180).

Darktrace’s Autonomous Response capability was able to block suspicious PowerShell attempts to unusual external locations, as shown below in an example from April 20.

Cyber AI Analyst investigations

In higher-confidence instances, Darktrace’s Cyber AI Analyst investigations helped connect otherwise separate model alerts into a single incident narrative, highlighting the attacker’s progression from post-execution scripting into sustained outbound signaling. This contextual stitching is particularly valuable in macOS scenarios where static artefacts are limited, and behavioral sequencing defines the intrusion.

Cyber AI Analyst investigations highlighted alerts on March 12, including unusual repeated connections and possible SSL command-and-control (C2) to multiple endpoints:

Autonomous Response

In addition to the containment actions detailed earlier, Autonomous Response implemented multiple additional measures to contain suspicious activity throughout the course of this attack. Whenever unusual external connectivity was detected, Darktrace blocked it, closing down potential C2 channels. Likewise, when data exfiltration attempts were identified, these connections were stopped to prevent the potential loss of sensitive data.

Furthermore, in cases where a device was deemed to have carried out a significant number of anomalous activities, Darktrace enforced a “pattern of life” on the device, preventing it from deviating from its expected behavior while allowing legitimate business operations to continue uninterrupted.

Conclusion

macOS intrusion tradecraft continues to shift toward native tooling and lightweight control channels designed to evade signature-led controls.

The repeated convergence of rare destinations, POST-based signaling, and anomalous client behavior — observed across time and across devices — provided sufficient evidence to act early and with confidence.

As macOS tradecraft continues to evolve, the defender advantage increasingly lies not in signatures, but in the ability to reason from behavior.

‍

Credit to Justin Torres (Senior Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO)

Edited by Ryan Traill (Content Manager)

Appendices

Darktrace Model Alert Coverage:

/ NETWORK-based model alerts:

·       Anomalous Connection::Multiple HTTP POSTs to Rare Hostname

·       Anomalous Connection::Rare External SSL Self-Signed

·       Anomalous Connection::Powershell to Rare External

·       Anomalous Connection::New User Agent to IP Without Hostname

·       Anomalous Connection::Posting HTTP to IP Without Hostname

·       Compromise::Fast Beaconing to DGA

·       Compromise::Large Number of Suspicious Failed Connections

·       Device::Anomalous Github Download

·       Device::New PowerShell User Agent

·       Unusual Activity::Unusual External Data to New Endpoint

/ NETWORK-based Autonomous Response model alerts:

·       Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

·       Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach

·       Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block

Indicators of Compromise (IoCs)

IP/Hostname:

·       zoom[.]uswebob[.]us · 148.72.73[.]98

·       83.136.208[.]246

·       check02id[.]com · 83.136.210[.]180

·       83.136.208[.]48

·       104.145.210[.]107

URIs:

·       /api/daemon

Destination Port Usage:

·       6783

·       5202

·       443

·       7365

·       8443

ASN:

·       AS400897 PETROSKY

·       AS398256 AS-ULTAHOST

User agents:

·       Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920

·       Go-http-client/1.1

·       curl/8.7.1

MITRE ATT&CK Mapping

(Technique Name - Tactic - ID - Sub-Technique of)

·       Browser Session Hijacking - COLLECTION - T1185

·       Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

·       Install Digital Certificate - RESOURCE DEVELOPMENT - T1608.003 - T1608

·       PowerShell - EXECUTION - T1059.001 - T1059

·       Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

·       Non-Standard Port - COMMAND AND CONTROL - T1571

·       Malware - RESOURCE DEVELOPMENT - T1588.001 - T1588

·       Web Service - COMMAND AND CONTROL - T1102

·       Code Repositories - COLLECTION - T1213.003 - T1213

·       Exploitation of Remote Services - LATERAL MOVEMENT - T1210

·       Exfiltration Over C2 Channel - EXFILTRATION - T1041

·       Exfiltration to Cloud Storage - EXFILTRATION - T1567.002 - T1567

References:

[1] https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/

[2] https://radar.securityalliance.org/advisory-on-dprk-unc1069-fake-microsoft-teams-and-zoom-calls/

[3] https://www.virustotal.com/gui/domain/uswebob.us

[4] https://www.virustotal.com/gui/ip-address/83.136.210.180/community

[5] https://www.virustotal.com/gui/ip-address/104.145.210.107/community

[6] https://www.virustotal.com/gui/ip-address/83.136.208.48/community

[7] https://www.virustotal.com/gui/ip-address/83.136.208.246/community

[8] https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign

Darktrace joins the OpenAI Daybreak Cyber Partner Program

Today, we announced that Darktrace is joining the OpenAI Daybreak Cyber Partner Program. We’ll be partnering with OpenAI to explore how their cyber capabilities can be integrated within Darktrace products and services to bring new capabilities to our customers.

This partnership is an exciting opportunity to bring together Darktrace’s behavioral AI modelling of the organization with OpenAI’s advanced contextual capabilities to create a new level of understanding for security teams. To understand the impact, it’s helpful to start with how we think about the problem.  

At Darktrace, we built our AI in support of the core belief that cybersecurity needs to understand the business it is defending. That's why our Self-Learning AI is designed to help organizations understand normal and abnormal behavior for each organization across their digital environment, including users and identities, networks and cloud, email and collaboration tools, and now AI systems and agents with the rollout of Darktrace / SECURE AI™.  

Our goal was never simply to spot known attacks faster. It was to help defenders understand how their organization behaves, potential risks and impact, and where disruption could take hold so they could prepare for the unknown threats that they may not have seen or even imagined before.  

That’s exactly what is happening across the threat landscape today. Attacks keep changing; techniques shift, infrastructure evolves, and attackers move with more speed, precision, and context. And now they have even more AI and automation on their side. Attackers are exploiting identities, trusted services, SaaS applications, and business workflows. They are not always breaking in; often, the threat may come from within the organization in the form of insider threat or even rogue agents.  

In this reality, defenders need a combination of deep AI modelling of the organization and AI that can connect identified threats to concrete business context, translating this information into real world value, and allow action before risk becomes disruption.

That is the opportunity we see in partnering with OpenAI.  ‍

What is the OpenAI Daybreak Cyber Partner Program and why is Darktrace joining

The OpenAI Daybreak Cyber Partner Program is focused on advancing the safe use of AI for cybersecurity. As part of the program’s next phase, OpenAI is working with a select group of trusted partners including Darktrace on scoped product integrations, managed services, and partner-delivered defensive capabilities. We’ll be exploring how OpenAI’s advanced frontier AI capabilities can support defenders in the tools and workflows they already use each day.

For Darktrace, this is a natural extension of our expertise and the work we have been doing for a decade: safely and securely applying the most effective AI techniques in combination to understand organizations, detecting malicious activity at the earliest indicators, and helping cyber defenders act faster.  

By using the advanced models and more precise safeguards available in the OpenAI Daybreak Cyber Partner Program, Darktrace and OpenAI will combine Darktrace’s real-time behavioral understanding of an organization's digital estate with OpenAI's ability to interpret wider business context.  

This is a unique and powerful combination of insights that could give organizations deeper context on technical risk and help them prioritize workloads and investigations based on potential impact to revenue, operations, and resilience. It can also provide security teams and executives with intelligence into which events matter most to the business, why they matter, and what action to take. Not just finding, for instance, that an agent is compromised, but highlighting that the compromised agent could shut down order fulfilment within the next three hours.  

Why the Darktrace and OpenAI partnership matters for defenders

Security teams today have more attack surface, more complex environments to protect, and an increasing volume of threats. The ability to act quickly is critical, but they also need to be able to focus on the risks that could have the greatest business impact.

That is especially important as attackers use AI to scale phishing, automate reconnaissance, find weaknesses, and blend into normal business activity. At the same time, organizations and their employees are using AI to innovate, which introduces an even broader attack surface and new set of risks. Defenders need AI that can operate across the same complexity, but safely, transparently, and in service of building more resilience. And they need a way to safely adopt, govern, and defend AI across their organizations.

Joining the OpenAI Daybreak Cyber Partner Program is another step in that direction. We are still early in this work, and we will take a careful, disciplined approach. But the direction is clear: protecting organizations requires AI that understands the business, not just the attack.

At Darktrace, that is exactly where we remain focused and why we are so excited about this partnership with OpenAI.  

‍

‍

[related-resource]

‍