North Korean hackers affiliated with the BlueNoroff group have escalated their cyberattack methodology by deploying artificial intelligence-powered deepfakes to impersonate company executives during video conference calls, according to recent findings from multiple cybersecurity firms including SentinelLabs, Microsoft, Jamf, and Kaspersky.
The sophisticated campaign, additionally tracked as Sapphire Sleet and TA444, utilizes deepfake technology to build credibility and manipulate targets into installing macOS malware under the guise of legitimate business activities.
The attackers distribute phishing lures through seemingly authentic Calendly links, crafting invitations as press pitches, venture capital investment offers, or podcast appearances while posing as investors or producers.
These deceptive meeting requests primarily target cryptocurrency traders, venture investors, and technology company executives, with meeting logistics often withheld until the last minute to create urgency and reduce victim diligence.
Additional attack vectors include fake interview invitations, purportedly from Bloomberg producers, delivered via social platforms like X.
During scheduled Zoom meetings, the deepfaked executives exploit the platform’s remote collaboration features to request control of victims’ computers.
The attackers prompt targets to share their screens and may inadvertently grant remote access, using consumer-grade Zoom accounts to avoid detection by security systems.
This technique requires no code-level vulnerability in Zoom, exploiting legitimate workflows while making detection and prevention more challenging.
Once remote access is established, attackers deploy information-stealing malware targeting sensitive data and cryptocurrency assets.
The malware payloads include infostealers designed to exfiltrate account secrets, private keys, and credentials immediately after compromise, in addition to Remote Access Trojans for longer-term access and delayed exfiltration.
These payloads are tailored to both Windows and macOS platforms, broadening the range of potential victims.
The primary intent behind these deepfake impersonation attacks is cryptocurrency theft, particularly targeting organizations with digital asset holdings.
The real-time delivery of attack payloads during meetings makes detection more challenging and shortens response windows, whereas the deepfake technology engenders trust and authenticity, increasing deception efficacy and lowering suspicion among victims.
Victims may notice unauthorized password changes and suspicious login attempts from unfamiliar locations as early warning signs of compromise.
