North Korea's BlueNoroff Uses AI Deepfakes for Mac Malware Scam

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 17, 2025 3 min read

North Korea’s BlueNoroff Uses AI Deepfakes for Mac Malware

In a sophisticated new campaign, North Korea's BlueNoroff is employing AI-generated video calls to trick executives into installing malware on their Mac systems. This targeted attack specifically aims at cryptocurrency firms, delivering a custom-built malware suite.

Business woman female team leader manager executive having hybrid office business group meeting, remote workers discussing work plans by video digital conference call on laptop. Over shoulder view

Image courtesy of CSO Online

Attack Methodology

BlueNoroff is utilizing deep fakes of company leadership to persuade employees to download fake Zoom extensions, which then install a suite of macOS malware. According to Huntress, the intrusion was reported by a cryptocurrency foundation after an employee installed a suspicious Zoom extension. Initial access to the victim’s system was achieved through a Telegram message that contained a seemingly harmless meeting request.

The victim received a Google Meet invite that redirected them to a fake Zoom site controlled by the attackers. During the meeting, AI-generated deep fakes of their bosses instructed the employee to install a ‘Zoom extension’ to resolve a microphone issue.

Randolph Barr, CISO at Cequence, noted, “This attack is a powerful example of how threat actors are evolving.” The use of AI-generated deepfakes combined with personalized social engineering represents a significant shift in cyberattack sophistication.

Malware Characteristics

The malware delivered includes a variety of macOS threats, such as info-stealers, keyloggers, and backdoors. Key features of the malware include:

  • Advanced Tradecraft: Techniques like clipboard monitoring and sleep-aware command execution were observed.
  • Distinct Binaries: Huntress identified eight malicious binaries, including:
    • Telegram 2: A Nim-based binary acting as the primary backdoor.
    • Root Troy V4: A fully-featured Go backdoor for executing payloads.
    • InjectWithDyId: A C++ loader capable of process injection, utilizing AES-CFB for payload decryption.
    • XScreen: A keylogger for monitoring keystrokes and clipboard data.
    • CryptoBot: A stealer targeting cryptocurrency data.

Each implant was cleverly disguised to avoid detection and was signed to appear legitimate.

Defense Recommendations

To mitigate the risk posed by such sophisticated threats, Barr recommends employing robust technical solutions. Utilizing Mobile Device Management (MDM) platforms can enforce strict access controls, while Endpoint Detection and Response (EDR) solutions provide real-time visibility into endpoint activities.

“Layered defenses that combine user training with strong endpoint controls, policy enforcement, and behavioral analytics are not optional — they’re essential,” Barr emphasized.

Ongoing Threat Landscape

BlueNoroff is a subgroup of the Lazarus Group, known for targeting cryptocurrencies since at least 2017. The group's history includes orchestrating financial crimes and leveraging social engineering tactics to gain access to sensitive information.

In particular, the campaign mirrors previous tactics used in the "Contagious Interviews" scheme, where attackers posed as recruiters to deliver malware-laden files as part of fake job assessments. This evolution in attack methods continues to pose significant risks to organizations, especially those in high-stakes financial sectors.

For further insights, refer to the assessments by DTEX on North Korea's cyber structure and the evolution of their threat groups.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

Instagram Vulnerability Exposes Private Data of Millions
Instagram security

Instagram Vulnerability Exposes Private Data of Millions

Instagram's private posts exposed, millions affected by data breaches, and new location features pose risks. Discover how Gopher Security's AI-powered Zero-Trust architecture protects your data. Learn more!

By Brandon Woo January 27, 2026 4 min read
common.read_full_article
Closing the Cloud Complexity Gap: Insights from 2026 Security Reports
cloud security

Closing the Cloud Complexity Gap: Insights from 2026 Security Reports

Navigate the escalating complexity of cloud security. Discover how AI, Zero-Trust, and unified ecosystems are essential to combatting modern threats. Learn more!

By Divyansh Ingle January 26, 2026 6 min read
common.read_full_article
AI-Driven Cybersecurity Innovations: The Future of Threat Prevention
AI agents security

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention

AI agents are prime targets for cyberattacks. Discover evolving threats like prompt injection & AI-powered exploits, and learn how to fortify your defenses. Read now!

By Brandon Woo January 22, 2026 5 min read
common.read_full_article
GootLoader Malware Evades Detection Using Nested ZIP Archives
GootLoader

GootLoader Malware Evades Detection Using Nested ZIP Archives

GootLoader is back with advanced tricks, using malformed ZIPs to bypass security & target businesses. Learn how to detect and defend against this threat. Protect your assets!

By Edward Zhou January 21, 2026 3 min read
common.read_full_article