In a novel social engineering campaign, North Korea’s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite.
According to the findings by cybersecurity outfit Huntress, the infamous APT group (aka TA444, Sapphire Sleet, and COPERNICIUM) is using deep fakes of the victims’ own leadership to sell the ruse.
“This attack is a powerful example of how threat actors are evolving,” said Randolf Barr, CISO at Cequence. “The use of AI-generated deepfakes in real-time video calls, combined with personalized social engineering, represents a major shift in the sophistication of cyberattacks.”
The attack delivered a range of macOS malware, including info-stealers, keyloggers, and backdoors, showing unusually advanced tradecraft like clipboard monitoring and sleep-aware command execution, according to Huntress.
Lured by a fake Google Meet invite
In a blog post describing BlueNoroff‘s attack, Huntress said it learned about the intrusion on June 11 after a partner (a cryptocurrency foundation) reported that an end user had downloaded a suspicious Zoom extension. When Huntress deployed its EDR agent, it found that the infection had actually occurred weeks before.
Initial access came via Telegram, where the victim received a seemingly benign meeting request. The attacker shared a Google Meet invite hosted on Calendly, but clicking it took the user to a fake Zoom site controlled by the threat actor. When the meeting started, the employee was met by AI-generated deep fakes of their bosses, asking them to install a ‘Zoom extension’ to fix a microphone issue.
Barr believes the attackers have significantly stepped up their game, making detection harder than ever. “For years, the industry has leaned on the phrase ‘users are the weakest link’, but in cases like this, that narrative is both outdated and unfair,” he said. “When attackers are leveraging AI to convincingly mimic real people and applications appear properly signed and notarized, we can’t reasonably expect even well-trained users to make the right call every time.”
North Korean threat groups are well known for using social engineering, such as tricking job seekers to gain access to targets. One of their most notable campaigns, “Contagious Interviews,” saw attackers (the Kimsuky group) pose as recruiters offering fake job interviews to professionals. During these calls, they shared malware-laced files disguised as assessments, allowing them to steal credentials and establish long-term access.
“WE attribute with high confidence that this intrusion was conducted by the North Korean (DPRK) APT subgroup tracked as TA444 aka BlueNoroff, a state-sponsored threat actor known for targeting cryptocurrencies stemming back to at least 2017,” Huntress researchers said.
Campaign delivers modular, persistent, Mac-specific malware
Huntress recovered a total of eight distinct malicious binaries, each with specific tasks. The primary implant, ‘Telegram 2’, was written in Nim and embedded itself as a macOS LaunchDaemon to maintain persistence. It acted as a launchpad for the real power tools, including Go-based ‘Root Troy V4’ backdoor and “CryptoBot”, a dedicated crypto stealer that hunted for wallet data across 20+ Web3 plugins.
The attack’s highlight, though, is “InjectWithDyId,” a C++ loader capable of process injection on macOS, an area rarely breached at this depth, researchers added. It decrypted embedded payloads using AES-CFB and injected them into benign apps like the Swift-based “Base App.” Additionally, to avoid user detection, it wrapped commands in display sleep checks, executing only when the screen was off.
Other significant payloads included XScreen, a keylogger with screen and clipboard capture capabilities, and NetChk, a decoy binary that ran infinite loops to muddy the system’s process list. Each implant was signed and disguised just enough to quietly exfiltrate data to fake Zoom, MetaMask, and crypto-themed C2 servers.
To stay ahead of the threat, Barr recommended leaning into the existing technical capabilities like MDM platforms that enforce least privilege and prevent local admin access or unapproved installs, and EDR solutions that offer real-time visibility into endpoint activity and alert on suspicious behavior.
“Layered defenses that combine user training with strong endpoint controls, policy enforcement, and behavioral analytics are not optional — they’re essential,” he said.