Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label North Korea cyberattack. Show all posts

North Korean Malware Targets Mac Users in Crypto Sector via Calendly and Telegram

 

Cybersecurity researchers have identified a sophisticated malware campaign targeting Mac users involved in blockchain technologies. According to SentinelLabs, the attack has been linked to North Korean threat actors, based on an investigation conducted by Huntabil.IT. 

The attack method is designed to appear as a legitimate interaction. Victims are contacted via Telegram, where the attacker impersonates a known associate or business contact. They are then sent a meeting invite using Calendly, a widely-used scheduling platform. The Calendly message includes a link that falsely claims to be a “Zoom SDK update script.” Instead, this link downloads malware specifically designed to infiltrate macOS systems. 

The malware uses a combination of AppleScript, C++, and the Nim programming language to evade detection. This mix is relatively novel, especially the use of Nim in macOS attacks. Once installed, the malware gathers a broad range of data from the infected device. This includes system information, browser activity, and chat logs from Telegram. It also attempts to extract login credentials, macOS Keychain passwords, and data stored in browsers like Arc, Brave, Firefox, Chrome, and Microsoft Edge. Interestingly, Safari does not appear to be among the targeted applications. 

While the campaign focuses primarily on a niche audience—Mac users engaged in crypto-related work who use Calendly and Telegram—SentinelLabs warns that the tactics employed could signal broader threats on the horizon. The use of obscure programming combinations to bypass security measures is a red flag for potential future campaigns targeting a wider user base. 

To safeguard against such malware, users are advised to avoid downloading software from public code repositories or unofficial websites. While the Mac App Store is considered the safest source for macOS applications, software downloaded directly from reputable developers’ websites is generally secure. Users who rely on pirated or cracked applications remain at significantly higher risk of infection. 

Cyber hygiene remains essential. Never click on suspicious links received via email, text, or social platforms, especially from unknown or unverified sources. Always verify URLs by copying and pasting them into a text editor to see their true destination before visiting. It’s also crucial to install macOS security updates promptly, as these patches address known vulnerabilities.  

For additional protection, consider using trusted antivirus software. Guides from Macworld suggest that while macOS has built-in security, third-party tools like Intego can offer enhanced protection. As malware campaigns evolve in complexity and scope, staying vigilant is the best defense.

North Korea’s Lazarus Group Launches Global Supply Chain Attack Targeting Developers

 

North Korea’s notorious hacking collective, Lazarus Group, has orchestrated a large-scale supply chain attack, compromising hundreds of victims worldwide, according to cybersecurity researchers. The operation, named Phantom Circuit, remains active as of this month.

The group injected malicious backdoors into cloned versions of legitimate open-source software and developer tools, primarily targeting professionals in the cryptocurrency industry. These tampered projects were then distributed via platforms like GitLab, leading unsuspecting developers to download and execute the compromised code, effectively exposing their systems.

According to SecurityScorecard, which uncovered and analyzed the attack, the campaign has unfolded in multiple waves:
  • November 2024: 181 developers, mostly in the European tech sector, were targeted.
  • December 2024: The attack expanded to 1,225 victims, including 284 in India and 21 in Brazil.
  • January 2025: An additional 233 individuals were affected, with 110 in India’s technology sector alone.
The stolen data includes credentials, authentication tokens, passwords, and system information, posing severe security risks for organizations and individuals alike.

The hackers leveraged open-source repositories, particularly forking existing projects to insert malicious code. SecurityScorecard’s senior VP of research and threat intelligence, Ryan Sherstobitoff, noted:

"These are examples of code repos they host on GitLab, for example, which is a clone of legit software and they embed into Node.js obfuscated backdoor. The scary thing is that these developers will clone this code from git directly onto corporate laptops, we have seen this directly with two devs already. Basically, they can do it for almost any package."

Among the compromised repositories were:
  • Codementor
  • CoinProperty
  • Web3 E-Store
  • A Python-based password manager
  • Other cryptocurrency-related applications, authentication tools, and Web3 technologies
Once a developer unknowingly downloads the infected repository, the malware installs a backdoor, granting Lazarus Group remote access to the compromised device. The attackers then exfiltrate sensitive data and route it to North Korean command-and-control (C2) servers. This method of embedding malware into legitimate-looking software marks a tactical shift for Lazarus Group.

"This approach allows widespread impact and long-term access while evading detection," Sherstobitoff explained.

SecurityScorecard also linked this campaign to an earlier fake job offer scam, Operation 99, through which the group’s C2 servers, active since September 2024, were identified. These same servers were later repurposed for Phantom Circuit, facilitating malware deployment and data theft.

Despite these discoveries, key questions remain regarding how stolen data is processed and the infrastructure supporting these attacks. The investigation is ongoing