Moonlock summarizes SentinelOne research on North Korean fake-interview malware targeting Web3, crypto, and blockchain businesses through Zoom-themed social engineering. Victims are lured into interviews and instructed to run a fake Zoom SDK update script, allowing macOS scripts and payloads to execute. The attack chain uses an unusual mix of AppleScript, C++, and Nim-compiled binaries, a shift intended to complicate analysis and detection while preserving the familiar fake-update infection path. The malware seeks browser-stored credentials and sessions from Chrome, Brave, Edge, Firefox, and Arc, macOS Keychain passwords, Telegram data, and system information accessible through backdoor commands over secure WebSocket. The report highlights malicious Zoom impersonation domains such as support.us05web-zoom[.]forum, support.us05web-zoom[.]pro, support.us05web-zoom[.]cloud, and support.us06web-zoom[.]online.