A sophisticated social engineering campaign leveraging the trusted Zoom platform has emerged as the latest weapon in the arsenal of North Korean state-sponsored hackers.<\/p>\n
The BlueNoroff group, a financially motivated subgroup of the notorious Lazarus Group, has been orchestrating targeted attacks against cryptocurrency and financial sector organizations through convincingly spoofed Zoom-related infrastructure and impersonation tactics.<\/p>\n
The campaign<\/a>, which has been active since at least March 2025, represents a significant evolution in cybercriminal tradecraft, exploiting the ubiquity of video conferencing platforms in modern business operations.<\/p>\n Threat actors have successfully compromised victims by impersonating known business contacts during scheduled Zoom meetings, then manipulating targets into executing malicious scripts disguised as legitimate audio repair tools.<\/p>\n This approach capitalizes on the operational urgency and routine nature of technical troubleshooting in remote work environments.<\/p>\n Field Effect analysts identified<\/a> a distinct incident involving a Canadian online gambling provider on May 28, 2025, where the threat actor employed advanced social engineering techniques to gain initial access to the victim\u2019s system.<\/p>\n The attack demonstrates the group\u2019s operational maturity and their continued focus on cryptocurrency-related targets, aligning with BlueNoroff\u2019s historical mission to generate revenue for the North Korean regime through cybercrime activities.<\/p>\n The financial and operational impact of these attacks extends beyond immediate data theft, as the malware specifically targets cryptocurrency wallet<\/a> extensions, browser credentials, and authentication keys.<\/p>\n Organizations in the gaming, entertainment, and fintech sectors across North America, Europe, and Asia-Pacific regions have been identified as primary targets, with the campaign\u2019s scope indicating a coordinated effort to compromise high-value cryptocurrency assets and sensitive financial data.<\/p>\n The attack chain begins with a meticulously crafted AppleScript that initially appears to perform legitimate Zoom SDK updates and maintenance tasks.<\/p>\n However, analysis of the malicious script reveals approximately 10,000 blank lines designed to obscure the true payload.<\/p>\n The concealed commands execute on lines 10,017 and 10,018, where a curl request downloads and executes the primary infostealer<\/a> component from the fraudulent domain zoom-tech[.]us.<\/p>\n The malware establishes persistence through multiple mechanisms, including LaunchDaemon configurations that ensure execution at boot time with administrator privileges<\/a>.<\/p>\n The infection process involves downloading additional payloads from compromised infrastructure, including components masquerading as legitimate system utilities like \u201cicloud_helper\u201d and \u201cWi-Fi Updater.\u201d<\/p>\n These components employ sophisticated anti-forensics techniques, automatically removing temporary files and staging directories to minimize their forensic footprint while maintaining operational capabilities for data exfiltration and command execution.<\/p>\n The post BlueNoroff Hackers Weaponize Zoom App to Attack System Using Infostealer Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSophisticated Infection Mechanism and Multi-Stage Deployment<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi1i9RiYZDqL5EEApRF5oTMrTM0iGkpkCDYSPnzkazioyjFtSD_GTOKkC_heU8YzzNEXwQAW8YIx8RwyIL-JSVA7rlpqgFXskSz7HyzO1gdcXE1Ybf9PgImU-3NjkPOnb1X5rC3aFkHNNfqEVdriU_l1lPvfdc8raO5jl0uoAnFAv2cqhrWrvIh8v4v0cU\/s16000\/Zoom%2520SDK%2520Update%2520script%2520%28Source%2520-%2520Field%2520Effect%29.webp?ssl=1\")
Are you from SOC\/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. -\u00a0Request 14-day free trial<\/a><\/code><\/strong><\/p>\n