Analysis Summary

In a sophisticated cyber operation linked to North Korea-aligned threat actor BlueNoroff (a sub-cluster of the Lazarus Group), a targeted campaign was launched against an employee of a cryptocurrency foundation within the Web3 sector. The attack began with social engineering over Telegram, where the victim was lured into a meeting through a Calendly link. Though the invitation appeared to be for a Google Meet call, it redirected to a fake Zoom domain controlled by the threat actor. Over time, the victim joined a deceptive group Zoom meeting populated by deepfaked versions of their company’s leadership. Exploiting trust and urgency, the threat actors manipulated the victim into installing a malicious Zoom extension via AppleScript (“zoom_sdk_support.scpt”) under the pretense of resolving audio issues.

According to the Researcher, this AppleScript initially opened a legitimate Zoom SDK page but covertly downloaded additional payloads from attacker-controlled infrastructure. The script disabled bash logging, installed Rosetta 2 (if needed), and pulled in malware from fake Zoom subdomains. The shell script prompted the user for their system password and cleaned up command history to evade detection. The malware arsenal deployed was extensive, with eight distinct binaries identified: a Nim-based loader ("Telegram 2"), a Go backdoor ("Root Troy V4"), a C++ injector ("InjectWithDyld"), a Swift-based injector helper, a Nim-based asynchronous implant, a keylogger ("XScreen"), a Go-based infostealer ("CryptoBot"), and a decoy binary ("NetChk").

This campaign underscores BlueNoroff’s ongoing focus on cryptocurrency theft, using advanced social engineering and macOS-specific payloads to target remote workers. The use of deepfakes in Zoom calls marks a concerning escalation in attack sophistication. BlueNoroff, known for the TraderTraitor series of heists, including the Axie Infinity (2022) and Bybit (2025) hacks, continues to evolve its toolkit and delivery techniques. Researchers highlight that remote workers in crypto and finance remain high-priority targets due to their elevated access and financial relevance.

Further analysis links this activity to broader DPRK cyber-ops trends. According to DTEX, APT38 has split into TraderTraitor (aka Jade Sleet/UNC4899) and CryptoCore (aka CageyChameleon), with TraderTraitor leading DPRK’s cryptocurrency theft efforts. Additionally, related campaigns like “ClickFake Interview” mimic hiring processes using fake job portals impersonating companies such as Coinbase or Robinhood. These lure victims into executing Python-based malware ("PylangGhost") or its Go counterpart ("GolangGhost"), which enable full system compromise, data theft, and credential exfiltration. These multi-platform intrusions reveal a persistent, highly coordinated effort by North Korean actors to fund their regime through cybercrime.

Impact

• Sensitive Data Theft
• Gain Access
• Crypto Theft
• Financial Loss

Indicators of Compromise

SHA1

• df9894ceaf81945a771b4c230fc730b5b72c5ea2

• a4933676e28dd47d685edeb8dd5be4533cd0f77d

• 2d746dda85805c79b5f6ea376f97d9b2f547da5d

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Encourage employees to cross-check meeting invites (e.g., Zoom, Google Meet) through verified internal channels before clicking any links.
• Limit the ability for AppleScript and shell scripts to run, especially for non-admin users. Use MDM (Mobile Device Management) tools to enforce restrictions.
• Deploy EDR solutions that support macOS to detect unusual behaviors like bash history tampering, hidden file creation, and unauthorized binary execution.
• Regularly scan endpoints for suspicious files in directories like /tmp/, hidden files (e.g., .pwd), or unknown binaries like “Telegram 2” and “Root Troy V4”.
• Use configuration profiles to prevent automatic installation of Rosetta 2 unless explicitly needed and approved.
• Inspect use of external messaging apps and calendaring services for unverified contacts or malicious meeting requests.
• Reset system passwords on compromised machines, audit access logs, and revoke any potentially exposed credentials.
• Only allow approved applications to run on macOS systems to block unknown and unsigned scripts or binaries.
• Look for indicators of compromise (IOCs) like dropped files, specific domains, or C2 connections in logs and telemetry.
• Notify national CERTs, industry ISACs, and law enforcement if North Korean APT activity is suspected.