Huntress attributes a macOS intrusion against a cryptocurrency foundation employee to TA444/BlueNoroff, a DPRK subgroup also tracked as Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon. The attacker used Telegram contact, Calendly and Google Meet pretexts, a fake Zoom support domain, and deepfaked company leadership to persuade the victim to install a malicious AppleScript presented as a Zoom extension. The chain disabled shell history, checked for Rosetta 2, attempted to collect the user password, and deployed multiple macOS implants including Telegram 2 for persistence, the Go-based Root Troy V4/remoted backdoor, InjectWithDyld, a Nim command-execution payload, XScreen, and CryptoBot. The tooling supported command execution, interactive shells, payload deployment, keylogging, clipboard and screen monitoring, and collection of cryptocurrency-related files, making the intrusion directly relevant to DPRK cryptocurrency theft tracking.