North Korea's BlueNoroff Uses AI Deepfakes for Mac Malware Scam

Edward Zhou
Edward Zhou

CEO & Founder

 
July 16, 2025 3 min read

North Korea’s BlueNoroff Uses AI Deepfakes for Mac Malware

In a sophisticated new campaign, North Korea's BlueNoroff is employing AI-generated video calls to trick executives into installing malware on their Mac systems. This targeted attack specifically aims at cryptocurrency firms, delivering a custom-built malware suite.

Business woman female team leader manager executive having hybrid office business group meeting, remote workers discussing work plans by video digital conference call on laptop. Over shoulder view

Image courtesy of CSO Online

Attack Methodology

BlueNoroff is utilizing deep fakes of company leadership to persuade employees to download fake Zoom extensions, which then install a suite of macOS malware. According to Huntress, the intrusion was reported by a cryptocurrency foundation after an employee installed a suspicious Zoom extension. Initial access to the victim’s system was achieved through a Telegram message that contained a seemingly harmless meeting request.

The victim received a Google Meet invite that redirected them to a fake Zoom site controlled by the attackers. During the meeting, AI-generated deep fakes of their bosses instructed the employee to install a ‘Zoom extension’ to resolve a microphone issue.

Randolph Barr, CISO at Cequence, noted, “This attack is a powerful example of how threat actors are evolving.” The use of AI-generated deepfakes combined with personalized social engineering represents a significant shift in cyberattack sophistication.

Malware Characteristics

The malware delivered includes a variety of macOS threats, such as info-stealers, keyloggers, and backdoors. Key features of the malware include:

  • Advanced Tradecraft: Techniques like clipboard monitoring and sleep-aware command execution were observed.
  • Distinct Binaries: Huntress identified eight malicious binaries, including:
    • Telegram 2: A Nim-based binary acting as the primary backdoor.
    • Root Troy V4: A fully-featured Go backdoor for executing payloads.
    • InjectWithDyId: A C++ loader capable of process injection, utilizing AES-CFB for payload decryption.
    • XScreen: A keylogger for monitoring keystrokes and clipboard data.
    • CryptoBot: A stealer targeting cryptocurrency data.

Each implant was cleverly disguised to avoid detection and was signed to appear legitimate.

Defense Recommendations

To mitigate the risk posed by such sophisticated threats, Barr recommends employing robust technical solutions. Utilizing Mobile Device Management (MDM) platforms can enforce strict access controls, while Endpoint Detection and Response (EDR) solutions provide real-time visibility into endpoint activities.

“Layered defenses that combine user training with strong endpoint controls, policy enforcement, and behavioral analytics are not optional — they’re essential,” Barr emphasized.

Ongoing Threat Landscape

BlueNoroff is a subgroup of the Lazarus Group, known for targeting cryptocurrencies since at least 2017. The group's history includes orchestrating financial crimes and leveraging social engineering tactics to gain access to sensitive information.

In particular, the campaign mirrors previous tactics used in the "Contagious Interviews" scheme, where attackers posed as recruiters to deliver malware-laden files as part of fake job assessments. This evolution in attack methods continues to pose significant risks to organizations, especially those in high-stakes financial sectors.

For further insights, refer to the assessments by DTEX on North Korea's cyber structure and the evolution of their threat groups.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article