Introduction

Darktrace’s Threat Research team is publishing this analysis to help defenders understand an active pattern of macOS tradecraft observed in multiple customer environments. This post summarizes the behaviors observed, how they were assessed, and what defenders can do now.

Across multiple environments, Darktrace observed a consistent MacOS intrusion pattern beginning with ClickFix-style user-assisted “update” execution and transitioning into AppleScript-driven post-compromise activity and sustained outbound signaling.

While individual indicators were low-confidence, the repeated convergence of weak behavioral signals — including HTTP POST beaconing, rare or IP-only destinations, SSL anomalies, and abnormal client characteristics — provided a defensible indication of command-and-control establishment Darktrace detection and response in these cases was driven by behavior over artifacts. In the highest-confidence instances, automated containment disrupted outbound signaling before sustained tasking could occur.

Background

ClickFix-style activity typically relies on user-assisted execution and plausible “update” pretexting, followed by post-execution use of native tools to keep the footprint light. In MacOS environments, AppleScript and other built-in scripting mechanisms enable flexible post-compromise workflows while minimizing stable file-based indicators.

Following execution, affected devices exhibited a consistent behavioral pattern. AppleScript or equivalent native scripting activity was observed initiating follow-on workflows, after which outbound communications began to establish a structured rhythm.

These communications were characterized by repeated HTTP POST requests to low-prevalence or IP-only endpoints, often combined with unusual SSL properties and client identifiers that diverged from baseline device behavior. Individually, these signals were weak. When correlated across time and devices, they formed a pattern consistent with control establishment rather than benign software activity.

In higher-confidence cases, Autonomous Response actions were able to reduce or halt outbound signaling, interrupting the attacker’s ability to maintain control.

Detection Timeline

In representative cases, the sequence unfolded as follows:

Stage 1 – Initial Execution

Initial activity began with suspicious or masqueraded execution on a MacOS endpoint, consistent with ClickFix-style user deception.

Stage 2 – Post-Execution Scripting

This was followed closely by native scripting activity, most commonly AppleScript, indicating the transition into post-execution workflow.

Stage 3 – Outbound Communications

Outbound communications then emerged, initially sporadic but quickly forming a consistent cadence of HTTP POST requests to rare external endpoints.

Stage 4 – Anomaly Convergence

As activity persisted, additional anomalies became visible — unusual SSL characteristics, abnormal user agents, and connections to infrastructure with no prior network prevalence.

Stage 5 – Autonomous Response

In the most mature stages of the activity, automated containment actions disrupted outbound communications on affected devices, limiting the attacker’s ability to continue tasking while investigations progressed.

Darktrace coverage and detections

The following use-case highlights systems likely affected by malicious macOS intrusion activity linked by Microsoft to the Democratic People’s Republic of Korea (DPRK) [1], with indications of suspicious behavior observed between March 1 and May 3, 2026. The activity overlaps with patterns described in recent reporting on DPRK-nexus MacOS intrusions [1], though attribution confidence in this case remains moderate and based on behavioral alignment rather than solely infrastructure linkage.

Analyst confidence emerged through the correlation of multiple weak signals across time and devices. This included model coverage for rare external communications, sustained beaconing patterns, repeated HTTP POSTs, and anomalous client characteristics. Where enabled, Autonomous Response actions disrupted the most active outbound paths to reduce the attacker’s ability to maintain control while Darktrace’s investigation continued.

Notably, this highly anomalous behavior included:

• Outbound connections to the rare external endpoint, zoom[.]uswebob[.]us associated with IP address, 148.72.73[.]98 [2][3] over port 443
• Outbound connections to the rare external endpoint, check02id[.]com associated with IP address, 83.136.210[.]180 [4] over port 7365
• Outbound connections to the rare external endpoints, 104.145.210[.]107 [5] over port 8443 and 83.136.208[.]48 [6] over port 443
• Outbound connections to the rare external endpoint, 83.136.208[.]246 [7] over port 6783 with observed URI `/api/daemon` and a PowerShell user agent

Darktrace’s detection initially highlighted a desktop device (running MacOS) engaging in anomalous behavior as early as March 12, 2026. Starting on March 12, the source device triggered a ‘Possible Doppelganger Attack’ alert including connectivity to the hostname "zoom[.]uswebob[.]us · 148.72.73[.]98" over port 443 (TCP, HTTPS, H2). This model highlights a device connecting to a location that is rare but masquerades as legitimate software, such as Zoom in this case, a commonly used technique to blend into expected traffic [2] [3].

This was followed roughly seven later by a connection to 104.145.210[.]107 over port 8443, during which approximately 250 KiB of data of inbound data and 30 MiB of outbound data was observed, triggering the ‘Unusual Activity / Unusual External Data to New Endpoint’ in Darktrace.

Quickly after this connection, Darktrace’s Autonomous Response intervened, blocking the device’s access to the unusual external location and halting the data exfiltration attempt.

The device continued to consistently trigger model alerts relating to unusual external connectivity, including 'Posting HTTP to IP Without Hostname', 'Anomalous Connection / Rare External SSL Self-Signed' alerts, until well after 3 PM that day.

From March 13 to March 28, the device continued exhibit unusual connectivity to various endpoints (e.g., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180), with the 'Multiple HTTP POSTs to Rare Hostname' model consistently triggering.

Windows OS Case

Pivoting over to an additional device, this time running Windows OS, anomalous behavior was also observed between March 30 and April 20. Notably, on March 30, the device was observed making a large number of suspicious external connection attempts to 83.136.208[.]246 over port 6783, all of which failed.

A further indicator was observed on April 1 with PowerShell connectivity to the same rare endpoint (83.136.208[.]246, port 6783), using the URI '/api/daemon' and the user agent 'Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920'.  Additional alerts included 'New User Agent to IP Without Hostname' and 'Anomalous Github Download', alongside activity involving the same endpoint.

The device continued triggering 'Posting HTTP to IP Without Hostname' & 'PowerShell to External Rare' alerts between April 4 and April 20 across multiple related endpoints (i.e., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180).

Darktrace’s Autonomous Response capability was able to block suspicious PowerShell attempts to unusual external locations, as shown below in an example from April 20.

Cyber AI Analyst investigations

In higher-confidence instances, Darktrace’s Cyber AI Analyst investigations helped connect otherwise separate model alerts into a single incident narrative, highlighting the attacker’s progression from post-execution scripting into sustained outbound signaling. This contextual stitching is particularly valuable in macOS scenarios where static artefacts are limited, and behavioral sequencing defines the intrusion.

Cyber AI Analyst investigations highlighted alerts on March 12, including unusual repeated connections and possible SSL command-and-control (C2) to multiple endpoints:

Autonomous Response

In addition to the containment actions detailed earlier, Autonomous Response implemented multiple additional measures to contain suspicious activity throughout the course of this attack. Whenever unusual external connectivity was detected, Darktrace blocked it, closing down potential C2 channels. Likewise, when data exfiltration attempts were identified, these connections were stopped to prevent the potential loss of sensitive data.

Furthermore, in cases where a device was deemed to have carried out a significant number of anomalous activities, Darktrace enforced a “pattern of life” on the device, preventing it from deviating from its expected behavior while allowing legitimate business operations to continue uninterrupted.

Conclusion

macOS intrusion tradecraft continues to shift toward native tooling and lightweight control channels designed to evade signature-led controls.

The repeated convergence of rare destinations, POST-based signaling, and anomalous client behavior — observed across time and across devices — provided sufficient evidence to act early and with confidence.

As macOS tradecraft continues to evolve, the defender advantage increasingly lies not in signatures, but in the ability to reason from behavior.

‍

Credit to Justin Torres (Senior Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO)

Edited by Ryan Traill (Content Manager)

Appendices

Darktrace Model Alert Coverage:

/ NETWORK-based model alerts:

·       Anomalous Connection::Multiple HTTP POSTs to Rare Hostname

·       Anomalous Connection::Rare External SSL Self-Signed

·       Anomalous Connection::Powershell to Rare External

·       Anomalous Connection::New User Agent to IP Without Hostname

·       Anomalous Connection::Posting HTTP to IP Without Hostname

·       Compromise::Fast Beaconing to DGA

·       Compromise::Large Number of Suspicious Failed Connections

·       Device::Anomalous Github Download

·       Device::New PowerShell User Agent

·       Unusual Activity::Unusual External Data to New Endpoint

/ NETWORK-based Autonomous Response model alerts:

·       Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

·       Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach

·       Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block

Indicators of Compromise (IoCs)

IP/Hostname:

·       zoom[.]uswebob[.]us · 148.72.73[.]98

·       83.136.208[.]246

·       check02id[.]com · 83.136.210[.]180

·       83.136.208[.]48

·       104.145.210[.]107

URIs:

·       /api/daemon

Destination Port Usage:

·       6783

·       5202

·       443

·       7365

·       8443

ASN:

·       AS400897 PETROSKY

·       AS398256 AS-ULTAHOST

User agents:

·       Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920

·       Go-http-client/1.1

·       curl/8.7.1

MITRE ATT&CK Mapping

(Technique Name - Tactic - ID - Sub-Technique of)

·       Browser Session Hijacking - COLLECTION - T1185

·       Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

·       Install Digital Certificate - RESOURCE DEVELOPMENT - T1608.003 - T1608

·       PowerShell - EXECUTION - T1059.001 - T1059

·       Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

·       Non-Standard Port - COMMAND AND CONTROL - T1571

·       Malware - RESOURCE DEVELOPMENT - T1588.001 - T1588

·       Web Service - COMMAND AND CONTROL - T1102

·       Code Repositories - COLLECTION - T1213.003 - T1213

·       Exploitation of Remote Services - LATERAL MOVEMENT - T1210

·       Exfiltration Over C2 Channel - EXFILTRATION - T1041

·       Exfiltration to Cloud Storage - EXFILTRATION - T1567.002 - T1567

References:

[1] https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/

[2] https://radar.securityalliance.org/advisory-on-dprk-unc1069-fake-microsoft-teams-and-zoom-calls/

[3] https://www.virustotal.com/gui/domain/uswebob.us

[4] https://www.virustotal.com/gui/ip-address/83.136.210.180/community

[5] https://www.virustotal.com/gui/ip-address/104.145.210.107/community

[6] https://www.virustotal.com/gui/ip-address/83.136.208.48/community

[7] https://www.virustotal.com/gui/ip-address/83.136.208.246/community

[8] https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign

Why prompt analysis is emerging as a key AI security challenge

If securing AI has been one of the defining cybersecurity conversations of the past year, prompt analysis is quickly becoming one of its most interesting frontiers.

Security leaders are under pressure to understand how AI is being used across the business. In some organizations, that means governing employee use of chatbots. In others, it means overseeing copilots embedded into SaaS platforms, monitoring coding assistants, or assessing the growing footprint of autonomous agents. However different these use cases may appear on the surface, they share a common factor: humans and machines are usually interacting with enterprise systems through language.  

How prompt language differs from traditional security telemetry

For years, defenders have become used to working with familiar forms of telemetry: email traffic, network connections, API calls, endpoint processes, authentication events. Prompt language is different. It is not simply another log source. It is an expression of intent, instruction, curiosity, urgency, and sometimes manipulation. It reflects the end-goal of a user or agent, but not always with enough surrounding context to interpret the risk correctly.

Why existing security approaches only partially explain prompt risk

A growing number of vendors are approaching the task of securing AI from the angle they know best. Perimeter vendors are extending web or browser controls into AI usage. Identity vendors are emphasizing agent permissions and access governance. Data security and DLP providers are focusing on content inspection and exfiltration risk. All of these perspectives matter, but individually can’t fully explain the problem.

The challenge with securing AI is not just that a new application category has emerged. It is that language has become a new operating layer in the enterprise.

Employees now use prompts to summarize documents, generate code, analyze spreadsheets, query internal knowledge, and trigger multi-step actions through agents. In each case, prompt language acts as the interface between human intent and machine execution. That makes prompts incredibly valuable from a security perspective as they can hint at misuse, policy violations, data exposure, or attempts to circumvent controls. However, they can also be deeply ambiguous when viewed in isolation. That ambiguity is the heart of the issue.

Prompts as behavioral signals, not just text to classify

A prompt by itself tells you what was asked. It does not necessarily tell you whether the request is expected, risky, accidental, or entirely legitimate in context. Two nearly identical prompts can carry very different meanings depending on the role and function of who issued them, what systems they can access, and what actions followed. In other words, prompts are not just text to classify. They are behavioral signals to interpret.

Example: How context changes prompt risk entirely

Consider a common enterprise scenario. An employee is pulled into a new project with an aggressive deadline. Almost overnight, their use of AI tools spikes. They begin prompting more frequently, working across unfamiliar documents, querying new data sources, and interacting with more systems than usual to accelerate delivery. Viewed narrowly, this may look suspicious. Prompt volume increases, file access patterns change, API and SaaS activity rise. From some vantage points, it may resemble insider risk or unmanaged AI usage.

But now add context. Imagine that, earlier that day, the employee received instructions from a senior leader asking them to support a time-sensitive initiative. Their communication history shows that this leader is a legitimate reporting-line superior. Their recent collaboration patterns align with the new project team. Their subsequent activity, while unusual for that individual’s baseline, is consistent with the business task they were assigned.

What initially looked like a risk event may actually be a normal response to business pressure. Without the surrounding context of communication, organizational relationships, and broader behavioral patterns, prompt activity alone could generate more noise than insight.

The reverse is also true. A prompt may appear benign on the surface while the context around it suggests elevated risk. A request that seems routine could originate from a compromised user, a newly connected external agent, a shadow AI workflow, or a user acting outside their normal role. The language itself may not contain anything obviously malicious, but the surrounding conditions may tell a very different story.

What security teams need to analyze prompts effectively

The future of prompt analysis is not just about understanding language. It is about understanding language in context.

To do that well, security teams need more than prompt inspection. They need to understand:

• Who is issuing the prompt, whether human or agent

• How that identity normally behaves across the enterprise

• What systems, data, and workflows are connected to the interaction

• Which relationships and communications explain the surrounding activity

• Whether the downstream actions align with expected business behavior

When those layers are absent, prompt analysis can become another isolated control surface: useful in theory, but limited in practice. Security teams may detect unusual wording but miss the operational function behind it, overreact to benign changes in behavior, or miss subtle misuse because the prompt itself did not appear dangerous.

How organizations should think about prompt analysis going forward

Security teams have seen this pattern before. In the cloud, posture without runtime context left important gaps. In identity, access control without behavioral understanding missed misuse that looked legitimate on paper. In data security, content inspection without business context often created friction without resolving risk. AI is exposing the same lesson again: controls are strongest when they are coordinated, not isolated. As organizations work to secure AI and identify gaps across their security operations, prompt analysis will become an increasingly important source of insight, but only as part of a broader strategy.

Prompt analysis will undoubtedly become more common, as prompts are one of the clearest windows into how people and agents are using AI systems. However, what matters most is not simply collecting prompts or filtering dangerous phrases, but being able to place that language inside a wider behavioral and operational picture.

Organizations that already have a broader understanding of how work gets done across the enterprise will be better positioned to make sense of prompt language as this category matures. They will be better able to distinguish urgency from abuse, experimentation from exfiltration, and productive AI adoption from hidden risk.

At Darktrace, this is the key lesson emerging from the market: prompt language does matter, but it does not stand alone. It is most valuable when treated as a new behavioral input that can enrich understanding across the enterprise, not as a self-contained source of truth.

Why prompts become less useful when analyzed in isolation

The curious case of prompt language analysis, then, is this: the more important prompts become, the less useful they are in a vacuum.

The real opportunity is not just to see what was asked. It is to understand why it was asked, what it meant in that moment, and what happened next.

For a deeper look at how organizations are approaching this challenge from the strengths of prompt analysis to its limitations in isolation see Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches, which expands on the role prompt-level controls play within a broader, context-driven security strategy.