North Korea’s BlueNoroff Uses Deepfake Zoom Call to Plant Mac Malware

Cyber-security firm Huntress says a North Korea-aligned hacking team known as BlueNoroff used AI-generated deepfakes of company executives during a video call to compromise a remote employee at an unnamed cryptocurrency foundation. The attackers contacted the victim over Telegram, steered them to a fake Zoom domain and persuaded them to install what appeared to be a Zoom extension. The download instead planted eight malicious binaries, giving the intruders full remote control of the macOS system, logging keystrokes and searching for crypto-related files. BlueNoroff’s toolkit included AppleScript, Go, Nim and Objective-C components collectively capable of installing backdoors, capturing screens, harvesting credentials and exfiltrating digital-wallet data. The incident underscores the group’s continued focus on the crypto sector as a source of hard-currency revenue for Pyongyang, following earlier thefts such as the Bybit breach in February 2025 and Axie Infinity in 2022. Separately, research from Cisco Talos links another North Korean cluster, Famous Chollima, to a parallel campaign that distributes a Python-based remote-access Trojan dubbed “PylangGhost” through fake job-interview sites impersonating companies such as Coinbase and Uniswap. Both operations highlight the regime’s expanding use of social-engineering lures and cross-platform malware to penetrate organisations handling digital assets.