{"id":3625,"date":"2025-06-19T12:04:17","date_gmt":"2025-06-19T12:04:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3625"},"modified":"2025-06-19T12:04:17","modified_gmt":"2025-06-19T12:04:17","slug":"north-koreas-bluenoroff-uses-ai-deepfakes-to-push-mac-malware-in-fake-zoom-calls","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3625","title":{"rendered":"North Korea\u2019s BlueNoroff uses AI deepfakes to push Mac malware in fake Zoom calls"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In a novel social engineering campaign, North Korea\u2019s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite.<\/p>\n

According to the findings by cybersecurity outfit Huntress, the infamous APT group (aka TA444, Sapphire Sleet, and COPERNICIUM) is using deep fakes of the victims\u2019 own leadership to sell the ruse.<\/p>\n

\u201cThis attack is a powerful example of how threat actors are evolving,\u201d said Randolph Barr, CISO at Cequence. \u201cThe use of AI-generated deepfakes in real-time video calls, combined with personalized social engineering, represents a major shift in the sophistication of cyberattacks.\u201d<\/p>\n

The attack delivered a range of macOS malware, including info-stealers, keyloggers, and backdoors, showing unusually advanced tradecraft like clipboard monitoring and sleep-aware command execution, according to Huntress.<\/p>\n

Lured by a fake Google Meet invite<\/h2>\n

In a blog post describing BlueNoroff<\/a>\u2018s attack, Huntress said it learned about the intrusion on June 11 after a partner (a cryptocurrency foundation) reported that an end user had downloaded a suspicious Zoom extension. When Huntress deployed its EDR<\/a> agent, it found that the infection had actually occurred weeks before.<\/p>\n

Initial access came via Telegram, where the victim received a seemingly benign meeting request. The attacker shared a Google Meet invite hosted on Calendly, but clicking it took the user to a fake Zoom site controlled by the threat actor. When the meeting started, the employee was met by AI-generated deep fakes of their bosses, asking them to install a \u2018Zoom extension\u2019 to fix a microphone issue.<\/p>\n

Barr believes the attackers have significantly stepped up their game, making detection harder than ever. \u201cFor years, the industry has leaned on the phrase \u2018users are the weakest link\u2019, but in cases like this, that narrative is both outdated and unfair,\u201d he said. \u201cWhen attackers are leveraging AI to convincingly mimic real people and applications appear properly signed and notarized, we can\u2019t reasonably expect even well-trained users to make the right call every time.\u201d<\/p>\n

North Korean threat groups are well known for using social engineering, such as tricking job seekers<\/a> to gain access to targets. One of their most notable campaigns, \u201cContagious Interviews<\/a>,\u201d saw attackers (the Kimsuky group<\/a>) pose as recruiters offering fake job interviews to professionals. During these calls, they shared malware-laced files disguised as assessments, allowing them to steal credentials and establish long-term access.<\/p>\n

\u201cWE attribute with high confidence that this intrusion was conducted by the North Korean (DPRK) APT subgroup tracked as TA444 aka BlueNoroff, a state-sponsored threat actor known for targeting cryptocurrencies<\/a> stemming back to at least 2017,\u201d Huntress researchers said.<\/p>\n

<\/a>Campaign delivers modular, persistent, Mac-specific malware<\/h2>\n

Huntress recovered a total of eight distinct malicious binaries, each with specific tasks. The primary implant, \u2018Telegram 2\u2019, was written in Nim and embedded itself as a macOS LaunchDaemon to maintain persistence. It acted as a launchpad for the real power tools, including Go-based \u2018Root Troy V4\u2019 backdoor and \u201cCryptoBot\u201d, a dedicated crypto stealer that hunted for wallet data across 20+ Web3 plugins.<\/p>\n

The attack\u2019s highlight, though, is \u201cInjectWithDyId,\u201d a C++ loader capable of process injection on macOS, an area rarely breached at this depth, researchers added. It decrypted embedded payloads using AES-CFB and injected them into benign apps like the Swift-based \u201cBase App.\u201d Additionally, to avoid user detection, it wrapped commands in display sleep checks, executing only when the screen was off.<\/p>\n

Other significant payloads included XScreen, a keylogger with screen and clipboard capture capabilities, and NetChk, a decoy binary that ran infinite loops to muddy the system\u2019s process list. Each implant was signed and disguised just enough to quietly exfiltrate data to fake Zoom, MetaMask, and crypto-themed C2 servers.<\/p>\n

To stay ahead of the threat, Barr recommended leaning into the existing technical capabilities like MDM platforms that enforce least privilege and prevent local admin access or unapproved installs, and EDR solutions that offer real-time visibility into endpoint activity and alert on suspicious behavior.<\/p>\n

\u201cLayered defenses that combine user training with strong endpoint controls, policy enforcement, and behavioral analytics are not optional \u2014 they\u2019re essential,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In a novel social engineering campaign, North Korea\u2019s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite. According to the findings by cybersecurity outfit Huntress, the infamous APT group (aka TA444, Sapphire Sleet, and COPERNICIUM) is using deep fakes of the victims\u2019 own leadership to sell the […]<\/p>\n","protected":false},"author":0,"featured_media":3614,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3625","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3625"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3625"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3625\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3614"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}