North Korean Hackers Use Deepfake Zoom Calls to Target Mac Users

In a troubling new development, cybersecurity researchers have uncovered a sophisticated scheme by North Korean hackers that uses fake Zoom calls to install malware on Mac computers. The attackers used deepfake video technology—AI-generated visuals of real company executives—to build trust during meetings and trick employees into downloading malicious files.

The Setup
​The attack begins with an invitation to a Zoom call, often shared through scheduling tools like Calendly. The link leads to a seemingly legitimate Zoom meeting where the participant is greeted by what appears to be a company executive. In reality, the “executive” is a deepfake—an AI-generated video designed to look and sound like a real person.
During the call, the fake executive claims they are having microphone issues and asks the participant to download a Zoom "support" extension to fix the problem. The download is actually an AppleScript file designed to silently install malware on macOS systems.

What the Malware DoesOnce the victim runs the file, several malicious tools are installed:

• Telegram 2: A disguised backdoor pretending to be a Telegram updater.
• Root Troy V4: A remote-access tool that gives attackers control of the infected Mac.
• InjectWithDyld: A loader that decrypts and launches other hidden malware.
• XScreen (keyboardd): A spying tool that records keystrokes, screenshots, and clipboard content.
• CryptoBot (airmond): A program designed to steal cryptocurrency wallet data from over 20 wallet types.

This package of tools enables the hackers to monitor activity, steal information, and ultimately gain access to cryptocurrency accounts.

Who’s Behind It?
The hacking group, known as BlueNoroff (also called Sapphire Sleet or TA444), is linked to the North Korean government. They are known for targeting financial institutions and cryptocurrency users to raise funds for the regime. This particular campaign appears to continue that trend, using a combination of technical malware and psychological manipulation to reach their goals.

Why It Matters
This attack is a clear reminder that macOS is no longer immune to malware. Cybercriminals are increasingly targeting Apple devices with advanced tactics. It also shows how artificial intelligence can be used in dangerous ways—deepfakes are no longer just a novelty but a serious cybersecurity risk.

​How to Protect Yourself

• Be skeptical of unexpected Zoom invites or meetings from unknown contacts.
• Never download software or “fixes” from unofficial sources.
• Keep your Mac and all software up to date.
• Use a trusted antivirus or endpoint protection tool that monitors for suspicious activity.
• Enable two-factor authentication, especially on cryptocurrency accounts.

Final ThoughtsThe blending of AI-powered deception and targeted malware marks a turning point in cybersecurity threats. Individuals and businesses must be more vigilant than ever, especially when handling sensitive data or financial assets. If something feels off in a virtual meeting, it probably is—trust your instincts and verify before you click.