North Korean Hackers Use Weaponized Calendly and Google Meet Links to Deliver Malware

A recent in-depth technical investigation has uncovered a sophisticated campaign by the North Korean state-sponsored threat group TA444 (aka BlueNoroff, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon) targeting the cryptocurrency industry using weaponized meeting links and advanced macOS malware.

The operation demonstrates the evolving tactics, techniques, and procedures (TTPs) of North Korean APTs, with a notable shift towards macOS-specific payloads and social engineering that exploits remote work culture.

Social Engineering via Calendly and Google Meet

Initial access was achieved when a cryptocurrency foundation employee was contacted on Telegram by an external actor, who invited the victim to a Google Meet via a Calendly link.

However, rather than launching a true Google Meet session, the link redirected the user to a malicious spoofed Zoom domain under adversary control.

According to Huntress Report, this domain later delivered a .ics meeting invitation file, masquerading as a legitimate Google Meeting a classic social engineering tactic designed to build trust.

Subsequently, the victim joined a group Zoom session populated by convincing deepfake avatars of the company’s senior leadership.

During the call, the victim was told to download a “Zoom extension” to fix microphone errors.

The provided download link led to an AppleScript file (zoom_sdk_support.scpt), marking the start of a complex, multi-stage malware deployment chain.

Multi-Stage Malware Suite

The initial AppleScript file appeared benign, opening a legitimate Zoom SDK page, but buried beneath thousands of blank lines was obfuscated logic that downloaded and executed a second-stage payload.

Notably, the script checked for and installed Rosetta 2 to guarantee execution of x86_64 binaries on Apple Silicon Macs, demonstrating a high level of technical sophistication.

Analysis revealed a full suite of custom malware implants, including:

• Persistent loader (“Telegram 2”): A Nim-based implant ensuring hourly persistence via macOS LaunchDaemons.
• Modular backdoor (“Root Troy V4” or “remoted”): Written in Go, supporting remote code execution, sleep-aware execution, and payload deployment.
• Process injection loader (“InjectWithDyld”): Facilitates injection of malicious code into system processes by abusing macOS debug entitlements.
• Nim and Swift payloads: Supporting command execution and persistence.
• Keylogger/screen recorder (“XScreen”/keyboardd): Written in Objective-C, supporting keystroke, clipboard, and screencapture exfiltration.
• Cryptocurrency-focused infostealer (“CryptoBot”/airmond): Harvests wallet credentials from browsers/extensions, aggressively targeting crypto assets.

The malware infrastructure maintained encrypted configurations, dynamic payload delivery, and anti-forensics routines, including log and shell history deletion.

Network communications leveraged multiple command and control (C2) domains, many masquerading as legitimate services or leveraging uncommon TLDs (.biz, .online, .xyz).

This campaign highlights a growing trend where macOS is specifically targeted in high-value sectors, debunking the myth of macOS immunity to advanced cyber threats.

The adversaries’ use of process injection, AppleScript, and deepfake-driven social engineering reflects a significant escalation in both technical and psychological operations.

Organizations are urged to increase vigilance against unexpected meeting invitations, requests to install plugins/extensions outside of official app stores, and abrupt platform switches involving suspicious domains.

Proactive endpoint detection and response (EDR), user education, and rigorous verification procedures are vital defenses, especially for sectors handling digital assets.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.