North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft

Huntress exposes a sophisticated intrusion by North Korean threat actor TA444, using a fake Zoom extension, AppleScript abuse, and a custom macOS malware suite to steal crypto from a foundation employee.

On June 11, 2025, a routine alert turned into a full-blown incident response when Huntress investigated what was initially thought to be a suspicious Zoom plugin. It quickly escalated into a disturbing example of social engineering and macOS exploitation orchestrated by BlueNoroff (a subgroup of North Korea’s Lazarus Group, tracked as TA444).

It started weeks earlier, when an employee at a cryptocurrency foundation received a Telegram message. The attacker, posing as a professional contact, invited them to a meeting via Calendly.

The invite pointed to a Google Meet, but the link redirected to a fake Zoom domain: support[.]us05web-zoom[.]biz.

When the victim joined the meeting, they were greeted by deepfake impersonations of their company’s leadership — a tactic BlueNoroff has used before. The “attendees” claimed the victim’s microphone wasn’t working and insisted they install a Zoom extension.

“During the meeting, the employee was unable to use their microphone, and the deepfakes told them that there was a Zoom extension they needed to download,” the report explains.

The so-called extension was a disguised AppleScript named zoom_sdk_support.scpt. While it launched a legitimate Zoom SDK page to appear authentic, it secretly downloaded a second-stage payload from the attacker-controlled site and ran malicious scripts — all while hiding over 10,500 blank lines above the payload.

From there, a modular malware suite took over the system, featuring:

• Telegram 2 (written in Nim): The persistent implant, triggered hourly via LaunchDaemons.
• Root Troy V4 (Go): A powerful backdoor executing AppleScripts and payload loaders.
• InjectWithDyld (C++): A clever binary loader using AES-CFB to decrypt embedded implants and inject them into trusted processes.
• XScreen (keyboardd): A full keylogger and screen recorder, monitoring clipboard, active apps, and sending periodic screenshots.
• CryptoBot (airmond): A Go-based infostealer laser-focused on cryptocurrency wallet data, extracting credentials from over 25 browser-based wallets including MetaMask, Phantom, Tron, and Ronin.

The campaign used advanced macOS-specific techniques rarely seen outside of nation-state attacks:

• AppleScript abuse for execution and persistence
• Rosetta 2 installation check to ensure payload compatibility
• Process injection into legitimate Swift apps via task_for_pid and mach_vm APIs
• Use of macOS entitlements like com.apple.security.cs.debugger to bypass memory protections
• Zero-wipe antiforensics, nulling payloads post-execution

The intrusion tied back to BlueNoroff/TA444, previously known for using fake job offers, LinkedIn lures, and cryptocurrency-themed attacks.

Huntress analysts recovered build artifacts pointing to four developer personas (e.g., dominic, chris, pooh), linking specific implants to compiler usernames — rare breadcrumbs for attribution.

Organizations, especially in crypto, fintech, and high-profile sectors, must be vigilant. Huntress advises:

• Be cautious of last-minute platform switches, unfamiliar Zoom/Meet/Teams links, and unusual TLDs like .biz, .site, or .click
• Never install browser extensions or meeting add-ons on request
• Report suspicious meeting setups or deepfake video behavior immediately

Related Posts:

• Deepfake Scams on the Rise: CEOs, News Anchors, and Government Officials Impersonated
• Deepfakes and Deception: The Rise of Synthetic Identities in Remote Work
• BlueNoroff’s New MacOS Threat: “Hidden Risk” Targets Crypto Enthusiasts
• Taylor Swift Deepfake Scam: Fake Freebies Alert for Fans
• Crypto-Targeting BlueNoroff APT Expands Arsenal with New macOS Malware