- Fake Zoom scripts launch malware hidden beneath thousands of lines of code and whitespace
- LaunchDaemons ensure the malware runs at boot with admin rights once installed
- Malicious components disguise themselves as legitimate tools like “icloud_helper” and “Wi-Fi Updater”
A new cyber campaign using fake Zoom applications is targeting organizations across North America, Europe, and the Asia-Pacific, experts have warned.
This cyber campaign, linked to North Korean hackers, is attributed to the BlueNoroff Group, a known affiliate of the infamous Lazarus Group, and spoofs legitimate video conferencing services from Zoom to fool victims.
Primarily focused on the gaming, entertainment, and fintech sectors, this operation appears carefully coordinated and aims to compromise cryptocurrency wallets and other sensitive financial data.
How the attack works
The operation begins with a deceptive AppleScript, designed to look like it is performing routine Zoom SDK maintenance.
Analysts have found the script padded with around 10,000 blank lines to hide the malicious commands buried deep within.
These commands, found on lines 10,017 and 10,018, use a curl request to silently download malware from a spoofed domain: zoom-tech[.]us.
Once installed, the malware embeds itself into the system using LaunchDaemon configurations that execute the malicious payload at startup with elevated privileges.
Additional components are then retrieved from compromised infrastructure and disguised as normal macOS tools such as “icloud_helper” and “Wi-Fi Updater.”
These components erase traces of temporary files and staging folders, using anti-forensics methods to avoid detection while maintaining backdoor access for remote commands and data theft.
This method takes advantage of the common work-from-home scenario where technical glitches are resolved quickly and often with minimal scrutiny.
The malware goes beyond simple credential theft. It actively looks for cryptocurrency wallet extensions, browser logins, and authentication keys, confirming BlueNoroff’s ongoing focus on financial gain.
In one documented case, a Canadian online gambling company was targeted on May 28, when attackers used fake Zoom troubleshooting scripts to plant the malware.
To stay safe, verify Zoom meeting participants independently, block suspicious domains, and use endpoint protection because attackers now use trusted platforms and familiar workflows to slip past basic protection.
It is also important to choose the best antivirus and ransomware protection software, especially for organizations with digital assets or crypto holdings.
Businesses should adopt identity theft protection to monitor exposed data and credentials, train staff on social engineering risks, and secure cryptocurrency tools with hardware wallets.
Leave a comment