The North Korean BlueNoroff hacking group is deepfaking company executives during Zoom calls to trick employees into installing custom malware on their macOS devices.
BlueNoroff (aka Sapphire Sleet or TA444) is a North Korean advanced persistent threat (APT) group known for conducting cryptocurrency theft attacks using Windows and Mac malware.
Huntress researchers uncovered a new BlueNoroff attack on June 11, 2025, when they were called to investigate a potential intrusion on a partner's network.
Like previous attacks, the primary goal was most likely cryptocurrency theft, which aligns with other recent reports about the threat actors from SentinelLabs, Microsoft, Jamf, and Kaspersky.
Zoom attacks
The target, an employee at a tech firm, was contacted by the attackers on Telegram, who posed as external professionals requesting a meeting.
The attacker sent a message containing a Calendly link for what appeared to be a Google Meet session, but the invite link was actually a fake Zoom domain controlled by the attackers.
This tactic is similar to a campaign discovered by Trail of Bits in April, who attributed it to the North Korean activity cluster 'Elusive Comet.'
When the employee attended the meeting, which was actually a Zoom meeting, it included deepfake videos of recognizable senior leadership from the employee's company and various external participants to add credibility.
During the meeting, the victim encountered issues with their microphone, which didn't work, seemingly due to technical problems. The deepfakes advised the victim to download a supposed Zoom extension that would fix the problem.
... continue reading