The North Korea-aligned threat actor known as BlueNoroff has been observed targeting an employee in the Web3 sector with deceptive Zoom calls featuring deepfaked company executives to trick them into installing malware on their Apple macOS devices.
Huntress, which revealed details of the cyber intrusion, said the attack targeted an unnamed cryptocurrency foundation employee, who received a message from an external contact on Telegram.
"The message requested time to speak to the employee, and the attacker sent a Calendly link to set up meeting time," security researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon said. "The Calendly link was for a Google Meet event, but when clicked, the URL redirects the end user to a fake Zoom domain controlled by the threat actor."
After several weeks, the employee is said to have joined a group Zoom meeting that included several deepfakes of known members of the senior leadership of their company, along with other external contacts.
However, when the employee said they were unable to use their microphone, the synthetic personas urged them to download and install a Zoom extension to address the supposed issue. The link to the extension, shared via Telegram, downloaded an AppleScript that went by the name "zoom_sdk_support.scpt."
This AppleScript first opens a legitimate webpage for the Zoom software development kit (SDK), but is also configured to stealthily download a next-stage payload from a remote server ("support[.]us05web-zoom[.]biz") and executes a shell script.
The script begins by disabling bash history logging and then checks if Rosetta 2 is installed on the compromised Mac, and if not, installs it. Rosetta is a software that enables Macs running Apple silicon to run apps that were built for a Mac with an Intel processor (x86_64).
The script then proceeds to create a hidden file called ".pwd," and downloads a binary from the malicious Zoom web page ("web071zoom[.lus/fix/audio-fv/7217417464") to the "/tmp/icloud_helper" directory. It also performs another request to "web071zoom[.]us/fix/audio-tr/7217417464" to fetch another unspecified payload.
The shell script also prompts the user to provide their system password and wipes the history of executed commands to avoid leaving a forensic trail. Huntress said its investigation led to the discovery of eight distinct malicious binaries on the victim host -
- Telegram 2, a Nim-based binary responsible for starting the primary backdoor
- Root Troy V4, a fully-featured Go backdoor that's used to run remote AppleScript payloads, shell commands, and download additional malware and execute them
- InjectWithDyld, a C++ binary loader downloaded by Root Troy V4, which, in turn, drops two more payloads: A benign Swift application to facilitate process injection and a different Nim implant that enables the operator to issue commands and receive responses asynchronously
- XScreen, an Objective-C keylogger with features to monitor the victim's keystrokes, clipboard, and the screen, and send the information to a command-and-control (C2) server
- CryptoBot, a Go-based information stealer that can collect cryptocurrency related files from the host
- NetChk, an almost empty binary that's designed to generate random numbers forever
BlueNoroff, also tracked under the names Alluring Pisces, APT38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima, and TA444, is a sub-cluster within the Lazarus Group that has a history of striking financial institutions, cryptocurrency businesses, and ATMs for monetary gain and generate revenue for the Democratic People's Republic of Korea (DPRK).
The group is best known for orchestrating a series of cryptocurrency heists known as TraderTraitor to target employees of organizations engaged in blockchain research with malicious cryptocurrency trading applications. Some of the significant cases include the hacks of Bybit in February 2025 and Axie Infinity in March 2022.
"Remote workers, especially in high-risk areas of work, are often the ideal targets for groups like TA444," Huntress said. "It is important to train employees to identify common attacks that start off with social engineering related to remote meeting software."
According to DTEX's latest assessment of North Korea's cyber structure, the APT38 mission likely no longer exists and has fractured into TraderTraitor (aka Jade Sleet and UNC4899) and CryptoCore (aka CageyChameleon, CryptoMimic, DangerousPassword, LeeryTurtle, and Sapphire Sleet), with the two clusters becoming the new faces of financial theft for the regime.
"TraderTraitor is arguably the most prolific of any of the DPRK APT groups when it comes to cryptocurrency theft and seems to have housed the most talent from the original APT38 effort," DTEX said. "CryptoCore has been active since at least 2018, likely splitting out of APT38 with TraderTraitor."
What's more, the use of audio issue-themed lures to trick prospective victims into compromising their own machines with malware has its echoes in an evolution of another North Korea-linked campaign dubbed Contagious Interview, which involves using ClickFix-style alerts to deliver a Go-based malware named GolangGhost.
The new iteration, referred to as ClickFake Interview, revolves around creating fake job advertisements and duping job applicants into copying and running a malicious command under the pretext of addressing an issue with access camera and microphone on a fake website set up by the threat actors to complete their hiring assessment.
These cross-platform attacks, per Cisco Talos, have since evolved further, employing a Python version of GolangGhost that has been codenamed PylangGhost. The bogus assessment sites impersonate well-known financial entities such as Archblock, Coinbase, Robinhood, and Uniswap, and have been found to target a small set of users mainly located in India.
"In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users," security researcher Vanja Svajcer said. "Linux users are not targeted in these latest campaigns."
PylangGhost, like its Golang counterpart, establishes contact with a C2 server to receive commands that enable the attackers to remotely control the infected machine, download/upload files, as well as steal cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets.
"It is not clear [...] why the threat actors decided to create two variants using a different programming language, or which was created first," Talos remarked. "The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person."
