{"id":127233,"date":"2025-06-20T22:25:38","date_gmt":"2025-06-20T16:55:38","guid":{"rendered":"https:\/\/www.techworm.net\/?p=127233"},"modified":"2025-06-22T12:41:22","modified_gmt":"2025-06-22T07:11:22","slug":"north-korean-hackers-target-crypto-with-mac-malware","status":"publish","type":"post","link":"https:\/\/www.techworm.net\/2025\/06\/north-korean-hackers-target-crypto-with-mac-malware.html","title":{"rendered":"North Korean Hackers Target Crypto With Mac Malware"},"content":{"rendered":"

Cybersecurity firm Huntress has uncovered a highly sophisticated hacking campaign targeting Mac users in the cryptocurrency sector, which utilized deepfake Zoom calls, clever social engineering, and Mac-specific malware in an unusually sophisticated operation.<\/p>\n

Huntress began investigating the intrusion on June 11, 2025, after a partner reported suspicious activity. The attack was ultimately attributed to the North Korean hacking group BlueNoroff (also known as Sapphire Sleet or TA444), which has been targeting the cryptocurrency sector with financially driven campaigns since at least 2017.<\/p>\n

The hackers specifically target macOS users by using deepfake technology to impersonate company executives in fake Zoom meetings to steal cryptocurrency.<\/p>\n

How Does The Scam Work
\n<\/strong><\/p>\n

It all started when an employee (target) at a cryptocurrency foundation received a seemingly innocuous message from an external contact on their Telegram requesting a meeting. The attacker shared a Calendly link that appeared to schedule a Google Meet call, but clicking it redirected the user to a fake Zoom domain controlled by the threat actor.<\/p>\n

Several weeks later, the employee joined a “Zoom meeting” populated by deepfakes mimicking senior leadership within their company, along with external contacts. During the meeting,\u00a0the employee was unable to use their microphone, and the deepfakes instructed them to download a \u201cZoom extension\u201d. The link to this extension sent to them via Telegram turned out to be a malicious AppleScript file \u00a0(zoom_sdk_support.scpt) disguised as a troubleshooting tool.<\/p>\n

Once downloaded, the AppleScript first opened a legitimate webpage for Zoom SDKs, but after over 10,500 blank lines, it downloaded a payload from a malicious website, https[:\/\/]support[.]us05web-zoom[.]biz, and executed it.<\/p>\n

By the time Huntress began their investigation, the final payload had already been removed from the attacker\u2019s server. However, they were\u00a0able to find a version on VirusTotal that offered valuable insight into what the malware was designed to do.<\/p>\n

“The script begins by disabling bash history logging and then checks if Rosetta 2, which allows Apple Silicon Macs to run x86_64 binaries, is installed,” the Huntress researchers explained<\/a> in a blog post on Wednesday.<\/p>\n

“If it isn\u2019t, it silently installs it to ensurex86_64 payloads can run. It then creates a file called .pwd, which is hidden from the user\u2019s view due to the period prepending it and downloads the payload from the malicious, fake Zoom page to \/tmp\/icloud_helper.”<\/p>\n

A Tailored, Mac-Specific Malware<\/strong><\/p>\n

\u00a0<\/strong>Unlike standard off-the-shelf malware, this attack involved a custom-built toolkit with at least eight separate components, all specifically tailored for macOS. They were:<\/p>\n