The notorious North Korean hacking group BlueNoroff is using deepfakes and deceptive Zoom calls in a sophisticated social engineering campaign designed to steal cryptocurrency by convincing company employees to unknowingly download malware onto their macOS devices.
Reports by threat researchers with cybersecurity companies Huntress and Field Effect found that at least in two instances, threat actors associated with the North Korean-linked advanced persistent threat (APT) group, posing as known external contacts, contacted the employees and asked to set up a Zoom call. In both cases, the executives agreed.
In one instance, an executive with a Canadian online gambling provider during the call in late May saw multiple pop-ups and experienced audio trouble, according to Field Effect researchers. The other person prompted the executive to run what they said was an audio repair tool from Zoom. Instead, the script allowed the hacker to gain control of the system and install information-stealing malware.
In the other incident, the hacker who had contacted the employee of a crypto foundation sent a link on Calendly to set up a time for a Google Meet event. However, when the URL for the link was clicked, it redirects the user to a fake Zoom domain that the attacker controlled.
“Several weeks later, when the employee joined what ended up being a group Zoom meeting, it contained several deepfakes of known senior leadership within their company, along with external contacts,” Huntress researchers wrote. “During the meeting, the employee was unable to use their microphone, and the deepfakes told them that there was a Zoom extension they needed to download.”
The link eventually led to a payload from a malicious website being downloaded that included macOS malware, according to the researchers.
MacOS Devices Targeted
According to Field Effect researchers, the impersonation of a known contact falls in line with what BlueNoroff has done in the past, including “credential compromise or impersonation tactics to gain trust and facilitate engagement.
For Huntress analysts, the attack is also only the latest example of the trend of bad actors targeting Apple macOS devices rather than relying solely on systems running Microsoft Windows.
“Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” they wrote. “In this instance, we saw BlueNoroff utilizing Mac-specific techniques in a very targeted attack. They leveraged AppleScript, which is unique to macOS, multiple implants, keyloggers, and screencaptures.”
In addition, the hackers captured the contents of the clipboard and erased their session history, as well as looking for an array of crypto wallets that highlighted their interest in macOS.
“As these attacks and the frequency in which they occur continue to rise, it will be ever more important to protect your Macs,” the Huntress researchers wrote. “As we saw here, the attackers didn’t just use common, cross-platform attack techniques, but instead leveraged Mac-specific binaries, APIs, and functionality.”
Stealing Crypto for the Regime
BlueNoroff – also known as APT38, Stardust Chollima, and BeagleBoyz – is a subgroup of the larger state-sponsored Lazarus Group, a key tool in the North Korean regime’s cybercrime operations to steal crypto that is used to support its weapons programs and bypass international sanctions. It’s been active since at least 2010.
“Focused on financial gain, the group has a consistent pattern of targeting financial institutions, the cryptocurrency ecosystem, gaming and entertainment industry, and fintech companies with primary targets in South Korea, Japan, North America, and Europe,” the Field Effects researchers wrote.
Deepfake Scams Proliferating
Deepfake video calls like the ones by BlueNoroff outlined by Field Effects and Huntress have rapidly become popular scams, certainly in the wake of the now-infamous case from early last year when scammers tricked a finance worker at a multinational firm into believing the person on a video call was the company’s chief financial officer and duped them into sending $25 million to an account controlled by the fraudster.
“Deepfake scams are no longer rare – they’ve become a routine threat in 2025,” cybersecurity vendor Brightside AI wrote in a blog post. “From fake video calls to AI-generated voice messages, attackers are using increasingly sophisticated techniques that are faster and harder to detect. The consequences? Companies are losing money, leaking sensitive data, and falling victim to threats they’re unprepared to defend against.”
More on the Way
Resemble AI, a company with a generative voice AI platform that also offers deepfake detection and similar tools, found in its first-quarter 2025 Deepfake Incident Report that businesses lost more than $200 million through deepfake-enabled fraud between January and April.
“The increasing accessibility of deepfake technology, combined with its growing sophistication, creates urgent challenges requiring coordinated responses from technology companies, policymakers, and individuals,” the researchers wrote in the 20-page report. “Without proactive measures, we anticipate continued escalation in both the volume and impact of deepfake incidents throughout 2025, with particular concerns about upcoming electoral processes, financial systems, and vulnerable populations, including children and marginalized communities.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
