Associated Incidents
A new cyber attack campaign by North Korea-linked group BlueNoroff has come to light, targeting a Web3 industry employee through deepfake Zoom calls and macOS malware. Security researchers say the incident reflects growing sophistication in nation-state phishing operations.
Fake Executives on Zoom, Real Malware on Mac
According to a cybersecurity firm, the attack began with a Telegram message asking to schedule a meeting. A Calendly invite appeared legitimate, but redirected to a malicious Zoom lookalike site controlled by attackers.
Weeks later, the employee joined a fake Zoom meeting populated by AI-generated deepfakes of their own company's executives. When they reported audio issues, the attackers shared a so-called "Zoom extension" via Telegram. This file actually a malicious AppleScript triggered a stealth malware chain.
The script downloaded further payloads from fake Zoom domains, including a backdoor disguised as a support tool. It bypassed user logs, checked for Apple's Rosetta translation layer, and prompted for the system password to install additional malware.
Backdoor Arsenal Includes Keylogger and Crypto Stealer
Huntress found eight unique malware components on the infected Mac:
- A Nim-based binary to launch the backdoor
- Root Troy V4, a Go-based implant that executes AppleScripts and commands
- InjectWithDyld, a loader that drops further implants and a Swift app
- XScreen, an Objective-C keylogger that also captures clipboard and screen data
- CryptoBot, which hunts for and exfiltrates crypto wallet data
- NetChk, a decoy app generating endless random numbers
All traffic was routed through C2 infrastructure mimicking Zoom domains.
BlueNoroff also tracked as APT38, TA444, and TraderTraitor is part of the North Korean Lazarus Group and known for financially motivated attacks. Past campaigns include the Axie Infinity hack (2022) and the Bybit breach (2025).
Fake Job Offers Fuel Cross-Platform Attacks
The campaign mirrors tactics used in the Contagious Interview and ClickFake Interview scams. In those cases, attackers posed as recruiters and tricked victims into running malicious scripts under the guise of fixing webcam or microphone issues.
Cisco Talos reported that newer versions use a Python variant of GolangGhost, now known as PylangGhost. These trojans target Windows and macOS users, harvesting credentials and cookies from over 80 browser extensions and password managers. Victims in India were reportedly among the top targets.
Fake sites impersonated major crypto brands like Coinbase, Robinhood, and Uniswap to lure job-seekers into running malware as part of a bogus hiring assessment.
Security researchers believe the threat actor Famous Chollima, possibly an umbrella group, is behind these attacks.