North Korean threat actors have escalated their sophisticated cyber operations against cryptocurrency startups, deploying an evolved malware campaign that leverages fraudulent Zoom meeting invitations to infiltrate target organizations.

The campaign, which has been active for over a year, specifically targets individuals and businesses operating within the Web3, cryptocurrency, and blockchain sectors through carefully orchestrated social engineering attacks.

The attack methodology remains consistent with previous North Korean operations, beginning with spear-phishing campaigns that lure victims with promises of lucrative job opportunities.

Threat actors establish contact with potential targets, typically professionals in the crypto industry seeking employment, and arrange fake interviews conducted via Zoom.

Once victims agree to participate, they receive malicious emails containing what appears to be legitimate Zoom meeting links alongside instructions to execute a “Zoom SDK update script.”

Moonlock analysts identified significant technical evolution in this campaign, noting that attackers have dramatically increased the complexity of their malware through the integration of multiple programming languages.

This strategic shift represents a deliberate attempt to evade detection systems and confuse cybersecurity researchers who may lack familiarity with newer, niche programming languages.

The malware deployment process demonstrates remarkable technical sophistication, with threat actors now employing what security researchers describe as an “eclectic mix of scripts and binaries.”

Having audio issues on your Zoom call? That's not a VC, it's North Korean hackers.

Fortunately, this founder realized what was going on.

The call starts with a few "VCs" on the call. They send messages in the chat saying they can't hear your audio, or suggesting there's an… pic.twitter.com/ZnW8Mtof4F

— Nick Bax.eth (@bax1337) March 11, 2025

According to Sentinel One’s comprehensive analysis released on July 2, 2025, the attack chain incorporates AppleScript for native macOS environment manipulation, C++ for core functionality, and Nim-compiled binaries for enhanced evasion capabilities.

This multi-language approach creates what researchers characterize as a cryptographic puzzle, where each programming language serves a specific purpose in the overall attack infrastructure.

The most significant technical advancement in this campaign involves the strategic implementation of Nim, a relatively obscure programming language that provides substantial advantages for malicious actors.

Nim’s compilation capabilities allow the creation of native binaries that can effectively bypass traditional signature-based detection systems.

The language’s syntax and behavior patterns differ significantly from commonly analyzed malware languages, creating blind spots in automated security analysis tools.

When executed, the malware establishes persistent communication channels through secure WebSocket connections, enabling real-time command execution and data exfiltration.

The malicious code specifically targets browser-stored credentials from Chrome, Brave, Edge, Firefox, and Arc browsers, focusing on saved passwords and session cookies associated with cryptocurrency exchanges and digital wallets.

The malware further compromises macOS Keychain databases to extract stored authentication credentials, while simultaneously harvesting Telegram user data including encrypted message databases and potentially two-factor authentication codes.

This comprehensive data collection strategy enables threat actors to gain complete access to victims’ cryptocurrency assets and associated financial accounts.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->