North Korean hackers recently used deepfake technology in an attempt to impersonate executives from a cryptocurrency foundation, staging a convincing Zoom meeting to deceive an unsuspecting employee, according to cybersecurity firm Huntress.
Although it’s unclear if their hack was successful, investigators believe the group’s goal was to access and steal cryptocurrency linked to the victim’s organization. The fact that their attack targeted a system running macOS only highlights the increasing sophistication of AI-driven attacks around the globe.
“Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” a spokesperson for Huntress said in a recent interview.
Understanding how it happened
The breach reportedly began when the employee received an unnamed Calendly invitation for an upcoming meeting with company executives. However, the link redirected the user to a fake Zoom domain controlled by the attackers, Huntress said.
The second phase unfolded weeks later when the scheduled Zoom call took place. The employee joined the meeting and was greeted by what appeared to be members of the company’s leadership — their identities were later revealed to be deepfakes created by AI.
When the user encountered audio issues, they were encouraged to install a Zoom extension to fix the problem. In reality, the file was a malicious AppleScript designed to compromise macOS systems.
Huntress was made aware of the incident in June 2025. After dissecting the original AppleScript file, they found that it contained several malicious commands, remote codes, keyloggers, and backdoors. They also managed to trace the hack to a North Korean group known as TA444, aka BlueNoroff, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, and CageyChamleon.
Once activated, the hack was designed to search the user’s hard drive for any accessible cryptocurrency wallets, which it would then attempt to hijack. The malicious program was also coded in a way to capture the contents of the user’s clipboard history and clean up after itself when it was done.
Avoiding similar attacks in the future
In their report covering the incident, Huntress provided useful recommendations on how users can avoid similar attacks in the future. Many of their recommendations are geared toward remote workers — as they’re the most likely to be targeted — but apply more broadly across hybrid work environments.
- Never trust a calendar invitation from someone you don’t know, someone you haven’t communicated with recently, or from people who don’t normally attend company meetings.
- Any sudden or unexpected changes, such as switching to another platform, installing extensions or plugins, visiting suspicious domain names, or allowing remote access to your device, should be taken as immediate red flags.
If you notice any of these indicators, disconnect from the meeting immediately and report the incident to your company’s HR or cybersecurity team.
Recognizing hacks, cyberattacks, and deepfakes before it’s too late
While this was a highly sophisticated and technical attack targeting an operating system that doesn’t see much malicious activity, there were several red flags during the multi-week ordeal that would have been concerning to any tech-savvy employee. When the legitimacy of a message or meeting requests is in question, it’s best to contact a verified member of the organization through an alternate channel, preferable by phone, to confirm its authenticity. Taking this extra step can help prevent costly breaches and reputational harm.
Want deeper insights into how state-backed actors are reshaping the global threat landscape? Read TechRepublic’s coverage on the rising tide of cyberattacks and how organizations are responding.
