Crypto Heist Alert: How BlueNoroff APT Uses AI Deepfakes and Fake Zoom Malware to Hit Web3 Firms on macOS

Crypto Heist Alert: How Uses and Fake Zoom Malware to Hit Web3 Firms on macOS

Imagine getting a Zoom invite from your boss or a top crypto exec. You join, see their face and hear their voice. They ask you to install a quick “Zoom update” for better meeting quality. Minutes later, your crypto wallets are drained. This is not a movie plot—it’s the real attack hitting crypto and Web3 companies right now.

The , linked to North Korean hackers from the Lazarus group, has upped its game. They mix social tricks, AI tricks, and sneaky macOS malware to steal millions in crypto. This campaign started in late 2025 and keeps growing. It targets high-value players in crypto exchanges, Web3 startups, and blockchain firms.

In this post, we break down the full attack step by step. We cover how it works, who gets hit, and simple ways to fight back. If you work in crypto or Web3, read on—this could save your funds.

Who Are the Hackers?

is a sneaky cyber crew backed by North Korea. They go by names like APT38, Sapphire Sleet, or Stardust Chollima. Their goal? Steal money to dodge sanctions and fund their operations.

These hackers love financial targets. They hit banks, crypto exchanges, and fintech apps. They build custom malware for Windows, macOS, and Linux. What makes them scary? They adapt fast to new tech like AI and deepfakes.

Past hits include big crypto thefts. Now, they focus on Web3—think DeFi, NFTs, and blockchain projects. Their attacks mix spy tricks with theft, making them hard to spot.

The Step-by-Step Attack Chain

‘s latest trick is a multi-step plan. It starts with trust and ends with empty wallets. Here’s how it unfolds:

Step 1: Spearphishing Lures

Hackers send fake messages on Telegram or email. They pretend to be crypto big shots—like CEOs or partners. The message invites you to a “urgent meeting” about a deal or investment.

Step 2: Fake Meeting Links

Links look like real Calendly, Google Meet, Zoom, or Teams invites. But they lead to fake sites—like typosquatted domains controlled by hackers. Example: something like support[.]us05web-zoom[.]biz.

Step 3: in Action

You join the “meeting.” A deepfake video and voice of a real exec greets you. AI makes it look and sound perfect. They build trust fast, then say: “Download this Zoom extension for HD video.”

Step 4: Malware Drop

Victims download files like zoom_sdk_support.scpt for macOS. This is an AppleScript loader. It hides your tracks (disables bash history), checks your Mac type (Apple Silicon or not), installs Rosetta 2 if needed, and pulls more malware.

From there, it sets up backdoors, steals data, and phones home to hackers.

Inside the Malware: What It Does

The malware is modular—like Lego blocks for crime. Key parts:

• Persistence: Uses Launch Daemons to stay on your Mac forever. Tweaks system services too.
• Steals Credentials: Grabs passwords, cookies, and private keys from wallets like MetaMask, Binance, Phantom, Trust, OKX, and more. Hits browser extensions hard.
• Clipboard Hijack: Watches your clipboard. When you copy a wallet address, it swaps it with the hackers’ address. Called “ClickFix” style—pure evil for crypto transfers.
• Spy Tools: Takes screenshots, logs keystrokes, even grabs webcam video.
• C2 Communication: Talks to over 80 fake domains via HTTPS, WebSockets, or Telegram bots. Domains registered late 2025 to March 2026. Examples: metamask[.]awaitingfor[.]site, productnews[.]online, firstfromsep[.]online, safefor[.]xyz, readysafe[.]xyz.

This setup lets hackers move sideways, stay hidden, and steal big.

MITRE ATT&CK: The Hacker Playbook

Security pros map this to MITRE ATT&CK framework. Key moves:

• T1566.002: Spearphishing via service (Telegram/email).
• T1059.002: AppleScript execution.
• T1547.001: Launch Daemon persistence.
• T1555: Credentials from password stores.
• T1113: Screen capture.
• T1056.001: Keylogging.
• T1041: Exfiltration over C2 channel.

Knowing these helps your tools detect it.

Who Gets Hit and How Bad Is It?

Over 100 crypto orgs in 20+ countries. Hot spots: US, Singapore, UK. 80% in crypto finance, 45% C-level execs or founders.

Attack speed? Initial contact to compromise: under 5 minutes. Some infections last 66 days. Losses? Direct crypto theft via clipboard swaps, plus spread to contacts via hijacked Telegram.

Smart Tricks: Recursive Deepfakes

Here’s the scary part. Hackers grab your webcam during infection. Mix it with AI to make new deepfakes. Use them to trick your contacts. It’s a chain reaction— one hit leads to more.

They scout targets via LinkedIn, Twitter, websites. Focus on CEOs, CTOs, wallet admins in North America, SE Asia, Europe.

How to Stop Attacks

Don’t panic—fight back with these steps:

1. Block IOCs: Add domains like support[.]us05web-zoom[.]biz to your blocklists. Watch for odd AppleScripts or Launch Daemons.
2. Check Downloads: Never install Zoom plugins from emails or links. Verify sender first.
3. Spot Deepfakes: Train teams. Look for glitches in video/voice. Always call back on known numbers.
4. Monitor Clipboard & Wallets: Use tools to detect swaps. Lock down browser extensions.
5. Strong Security: Least privilege access. Multi-factor auth (MFA). Endpoint detection for macOS.
6. Train & Respond: Teach phishing/deepfake signs. Have incident plans ready.

Run audits often. Tools like EDR can flag tricks early.

Stay Safe in the Crypto Wild West

The and from show how cyber crime evolves. Crypto and Web3 are goldmines for hackers. But with awareness and defenses, you can protect your assets.

Share this post if it helps. Stay vigilant—your next meeting might not be what it seems.

Discuss this news on our Telegram Community. Subscribe to us on Google news and do follow us on Twitter @Blockmanity

Disclaimer: Blockmanity is a news portal and does not provide any financial advice. Blockmanity's role is to inform the cryptocurrency and blockchain community about what's going on in this space. Please do your own due diligence before making any investment. Blockmanity won't be responsible for any loss of funds.