Multiple WordPress Plugins Vulnerabilities
June 23, 2025SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
June 23, 2025Multiple WordPress Plugins Vulnerabilities
June 23, 2025SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
June 23, 2025Severity
High
Analysis Summary
In a sophisticated cyber operation linked to North Korea-aligned threat actor BlueNoroff (a sub-cluster of the Lazarus Group), a targeted campaign was launched against an employee of a cryptocurrency foundation within the Web3 sector. The attack began with social engineering over Telegram, where the victim was lured into a meeting through a Calendly link. Though the invitation appeared to be for a Google Meet call, it redirected to a fake Zoom domain controlled by the threat actor. Over time, the victim joined a deceptive group Zoom meeting populated by deepfaked versions of their company’s leadership. Exploiting trust and urgency, the threat actors manipulated the victim into installing a malicious Zoom extension via AppleScript (“zoom_sdk_support.scpt”) under the pretense of resolving audio issues.
According to the Researcher, this AppleScript initially opened a legitimate Zoom SDK page but covertly downloaded additional payloads from attacker-controlled infrastructure. The script disabled bash logging, installed Rosetta 2 (if needed), and pulled in malware from fake Zoom subdomains. The shell script prompted the user for their system password and cleaned up command history to evade detection. The malware arsenal deployed was extensive, with eight distinct binaries identified: a Nim-based loader ("Telegram 2"), a Go backdoor ("Root Troy V4"), a C++ injector ("InjectWithDyld"), a Swift-based injector helper, a Nim-based asynchronous implant, a keylogger ("XScreen"), a Go-based infostealer ("CryptoBot"), and a decoy binary ("NetChk").
This campaign underscores BlueNoroff’s ongoing focus on cryptocurrency theft, using advanced social engineering and macOS-specific payloads to target remote workers. The use of deepfakes in Zoom calls marks a concerning escalation in attack sophistication. BlueNoroff, known for the TraderTraitor series of heists, including the Axie Infinity (2022) and Bybit (2025) hacks, continues to evolve its toolkit and delivery techniques. Researchers highlight that remote workers in crypto and finance remain high-priority targets due to their elevated access and financial relevance.
Further analysis links this activity to broader DPRK cyber-ops trends. According to DTEX, APT38 has split into TraderTraitor (aka Jade Sleet/UNC4899) and CryptoCore (aka CageyChameleon), with TraderTraitor leading DPRK’s cryptocurrency theft efforts. Additionally, related campaigns like “ClickFake Interview” mimic hiring processes using fake job portals impersonating companies such as Coinbase or Robinhood. These lure victims into executing Python-based malware ("PylangGhost") or its Go counterpart ("GolangGhost"), which enable full system compromise, data theft, and credential exfiltration. These multi-platform intrusions reveal a persistent, highly coordinated effort by North Korean actors to fund their regime through cybercrime.
Impact
- Sensitive Data Theft
- Gain Access
- Crypto Theft
- Financial Loss
Indicators of Compromise
Domain Name
- safefor.xyz
- readysafe.xyz
- support.us05web-zoom.biz
- web071zoom.us
MD5
01d3ed1c228f09d8e56bfbc5f5622a6c
0af11f610da1f691e43173d44643283f
13c07ccb4117bfba9921e45c39b10339
SHA-256
ad01beb19f5b8c7155ee5415781761d4c7d85a31bb90b618c3f5d9f737f2d320
14e9bb6df4906691fc7754cf7906c3470a54475c663bd2514446afad41fa1527
469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
SHA1
df9894ceaf81945a771b4c230fc730b5b72c5ea2
a4933676e28dd47d685edeb8dd5be4533cd0f77d
2d746dda85805c79b5f6ea376f97d9b2f547da5d
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Encourage employees to cross-check meeting invites (e.g., Zoom, Google Meet) through verified internal channels before clicking any links.
- Limit the ability for AppleScript and shell scripts to run, especially for non-admin users. Use MDM (Mobile Device Management) tools to enforce restrictions.
- Deploy EDR solutions that support macOS to detect unusual behaviors like bash history tampering, hidden file creation, and unauthorized binary execution.
- Regularly scan endpoints for suspicious files in directories like /tmp/, hidden files (e.g., .pwd), or unknown binaries like “Telegram 2” and “Root Troy V4”.
- Use configuration profiles to prevent automatic installation of Rosetta 2 unless explicitly needed and approved.
- Inspect use of external messaging apps and calendaring services for unverified contacts or malicious meeting requests.
- Reset system passwords on compromised machines, audit access logs, and revoke any potentially exposed credentials.
- Only allow approved applications to run on macOS systems to block unknown and unsigned scripts or binaries.
- Look for indicators of compromise (IOCs) like dropped files, specific domains, or C2 connections in logs and telemetry.
- Notify national CERTs, industry ISACs, and law enforcement if North Korean APT activity is suspected.