Crypto Startups Targeted by North Korean Hackers Through Phony Zoom Invitations

North Korean state-backed hackers have intensified a long-running cyber-espionage campaign targeting Web3 and cryptocurrency firms by using fake job interviews and Zoom invitation lures.

According to a new report by cybersecurity firm Sentinel One, while the social engineering tactics remain the same, the hackers have begun using lesser-known programming languages, including Nim, to evade detection and complicate reverse engineering efforts.

Deceptive Zoom Updates and Multi-Language Malware

The attack begins with spear-phishing messages targeting job seekers in the crypto and blockchain sector. Victims are lured into fake Zoom interviews where hackers offer them roles at fabricated companies.

The attackers then send a malicious script, posing as a required “Zoom SDK update,” which, once executed on macOS, installs malware capable of data exfiltration and surveillance.

The latest twist in this campaign is the use of Nim, a relatively obscure programming language, to compile malware binaries.

Sentinel One highlighted that these binaries, when combined with AppleScript and C++ components, allow the malware to bypass traditional antivirus and scanning technology.

Since many security tools are not optimized for recognizing behavior from code written in newer languages, attackers gain a tactical edge.

“Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++, and Nim,” the firm stated.

This multi-language approach significantly complicates detection and analysis, making life harder for incident response teams and reverse engineers.

Targeting Credentials, Wallets, and Telegram Data

Once the malware is installed, it extracts browser-stored credentials from Chrome, Brave, Edge, Firefox, and Arc. It also targets macOS Keychain to access saved crypto wallet passwords and exchange logins.

Furthermore, Telegram data, including encrypted local databases, message history, and associated wallet addresses, is actively harvested.

Communication between the infected device and the attacker’s server occurs over secure WebSocket (WSS) connections, allowing for real-time backdoor commands. This includes shell command execution, process inspection, and selective file exfiltration.

Sentinel One identified several malicious domains spoofing Zoom’s official URLs, such as support.us05web-zoom[.]forum  support.us05web-zoom[.]cloud, used to host and distribute the malware payloads.

Countermeasures and Awareness

Despite the sophisticated programming techniques, the campaign still hinges on successful social engineering.

Users in the crypto space, especially those seeking new jobs, are advised to verify all job-related communications and avoid running software updates from unofficial sources.

As attackers evolve by integrating obscure programming languages and leveraging AI-assisted development, cybersecurity researchers must adapt accordingly, strengthening behavioral detection and expanding expertise in emerging languages like Nim.

For organizations in the crypto industry, awareness and targeted employee training remain the most effective frontline defense.