- Attackers used staged video calls and a fake Zoom “audio fix” to trick macOS users into installing Malware.
- The approach matches a previously documented technique tied to the North Korea-linked group BlueNoroff/Lazarus Group.
- Compromised Telegram accounts and AI-generated video were used to impersonate trusted contacts during calls on Zoom or Teams.
- The macOS infection chain installs persistent backdoors, keyloggers, clipboard stealers, and wallet-stealing tools and seeks elevated privileges via repeated password prompts and Rosetta 2 checks.
- AI-driven impersonation scams contributed to a record $17 billion in crypto losses in 2025, according to data from Chainalysis.
North Korea-linked Hackers used staged video calls and a bogus Zoom “audio fix” to deliver macOS malware to cryptocurrency workers, disclosed this week by BTC Prague co-founder Martin Kuchař (Kuchař’s post). Attackers contacted victims via a compromised Telegram account, held a live call, then used an AI-generated video to impersonate a known contact and persuade the victim to install an “audio fix.”
The method mirrors a technique first documented by Huntress in which attackers lure targets into a staged meeting, often using a spoofed Zoom domain and a fake meeting link (Huntress analysis). The supposed fix is actually an AppleScript that begins a multi-stage macOS infection.
Once executed, the script disables shell history, checks for or installs Rosetta 2 on Apple Silicon devices, and repeatedly prompts the user for their system password to gain elevated privileges. The malware chain installs multiple payloads including persistent backdoors, keylogging and clipboard tools, and crypto wallet stealers, then can steal funds and take over accounts.
Kuchař later said his own Telegram account was compromised and used to target others in the same way. Security researchers attribute these intrusions with high confidence to the threat actor tracked as TA444 or BlueNoroff, which operates under the Lazarus Group umbrella and has focused on crypto theft since at least 2017.
Security experts noted the broader risk from AI impersonation. “The latest attack on Kuchař is ‘possibly’ connected to broader campaigns,” said Shān Zhang of Slowmist. David Liberman added that images and video “can no longer be treated as reliable proof of authenticity,” and urged stronger digital signing and multi-factor authorization. Data shows AI-driven impersonation scams helped push crypto-related losses to about $17 billion in 2025, according to Chainalysis.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
