BlueNoroff Hacks Zoom Calls to Steal Crypto Data

North Korea-linked hackers from BlueNoroff are exploiting the popularity of Zoom in a new wave of cyberattacks targeting cryptocurrency and financial firms. The group, known for its ties to the Lazarus Group, uses deceptive Zoom-related infrastructure to impersonate trusted contacts and trick victims into launching malicious scripts. This campaign, active since March 2025, marks a calculated shift in tactics as BlueNoroff hacks Zoom calls to deliver infostealer malware.

One confirmed incident on May 28, 2025, targeted a Canadian online gambling company. Attackers posed as legitimate business contacts and used AppleScript disguised as Zoom SDK updates to gain access. BlueNoroff hacks Zoom calls to deploy malware that steals browser credentials, crypto wallet data, and authentication keys.

The malware uses launch daemons for persistence and downloads additional payloads disguised as system tools. Analysts found it removes evidence to evade detection. Organizations can view the full report and indicators of compromise at:

BlueNoroff Hackers Weaponize Zoom App to Attack System Using Infostealer Malware