North Korean hackers deepfake execs in Zoom call to spread Mac malware

The North Korean BlueNoroff hacking group is deepfaking company executives during Zoom calls to trick employees into installing custom malware on their macOS devices.

BlueNoroff (aka Sapphire Sleet or TA444) is a North Korean advanced persistent threat (APT) group known for conducting cryptocurrency theft attacks using Windows and Mac malware.

Huntress researchers uncovered a new BlueNoroff attack on June 11, 2025, when they were called to investigate a potential intrusion on a partner’s network.

Like previous attacks, the primary goal was most likely cryptocurrency theft, which aligns with other recent reports about the threat actors from SentinelLabs, Microsoft, Jamf, and Kaspersky.

Zoom attacks

The target, an employee at a tech firm, was contacted by the attackers on Telegram, who posed as external professionals requesting a meeting.

The attacker sent a message containing a Calendly link for what appeared to be a Google Meet session, but the invite link was actually a fake Zoom domain controlled by the attackers.

This tactic is similar to a campaign discovered by Trail of Bits in April, who attributed it to the North Korean activity cluster ‘Elusive Comet.’

When the employee attended the meeting, which was actually a Zoom meeting, it included deepfake videos of recognizable senior leadership from the employee’s company and various external participants to add credibility.

During the meeting, the victim encountered issues with their microphone, which didn’t work, seemingly due to technical problems. The deepfakes advised the victim to download a supposed Zoom extension that would fix the problem.

The link provided via Telegram led the victim to download an AppleScript file (zoom_sdk_support.scpt).

Upon execution, the file opens a legitimate Zoom SDK webpage, but after parsing 10,500 blank lines, it executes a malicious command that downloads a secondary payload from an external source (https[://]support[.]us05webzoom[.]biz) and executes it.

By the time Huntress was called to investigate, the final payload had been pulled from the attacker-controlled domain. However, they were able to find a version on VirusTotal that provided some insight.

“The script begins by disabling bash history logging and then checks if Rosetta 2, which allows Apple Silicon Macs to run x86_64 binaries, is installed,” explains Huntress’ report.

“If it isn’t, it silently installs it to ensurex86_64 payloads can run. It then creates a file called .pwd, which is hidden from the user’s view due to the period prepending it and downloads the payload from the malicious, fake Zoom page to /tmp/icloud_helper.”

Overall, the reseachers found eight distinct malicious binaries on the host compromised in this attack.

Excluding minor tools used in process injection and implant decryption, the Mac malware used in the campaign were:

• Telegram 2 – Nim-based persistence implant disguised as a legitimate Telegram updater. It runs on a schedule and acts as the entry point for the rest of the malware chain. The binary is signed with a valid Telegram developer certificate, helping it evade scrutiny and remain undetected.
• Root Troy V4 – Go-based backdoor that enables remote code execution, command queuing during sleep states, and downloading of additional payloads. It serves as the central controller for post-infection operations and maintains the malware’s configuration and state.
• a (InjectWithDyld) – A second-stage loader that decrypts encrypted implants using a password-derived AES key and injects them into memory. It uses macOS-specific APIs for process injection and includes antiforensic functionality to wipe traces of itself after use.
• XScreen (keyboardd) – Surveillance component that logs keystrokes, records the screen, and monitors the clipboard. It operates continuously in the background and sends collected data to a command-and-control server.
• CryptoBot (airmond) – Cryptocurrency-focused infostealer written in Go. It targets over 20 wallet platforms, extracting sensitive data and storing it in a local encrypted cache for exfiltration.

The intrusion discovered by Huntress reflects the growing sophistication of BlueNoroff, who now leverages AI deepfakes for social engineering and custom macOS malware.

Huntress warns that many Mac users have been lulled into thinking they’re less likely to be targeted by malware.

However, as macOS gains broader adoption in the enterprise, threat actors increasingly develop malware that targets the operating system.

Recent campaigns, ranging from widespread infostealers and drainers aimed at crypto theft to advanced, targeted attacks on organizations like this, make it clear that macOS users must be better prepared and protected.