AI News Monitor

In a striking escalation of cyberespionage tactics, North Korean hackers are now using AI-generated deepfake videos of corporate executives to trick employees into installing malicious software, researchers said Thursday.

The campaign, attributed to the Pyongyang-linked group BlueNoroff, targets cryptocurrency firms with highly personalized social engineering, deploying custom-built spyware designed to steal sensitive financial data.

According to cybersecurity firm Huntress, the attackers pose as company leaders in fake video calls, instructing employees to download what appears to be a Zoom extension to resolve technical issues. Instead, the software installs a suite of sophisticated malware capable of monitoring keystrokes, capturing clipboard data, and maintaining long-term access to infected Macs.

“This attack represents a major shift in the sophistication of cyberattacks,” said Randolph Barr, chief information security officer at Cequence. “When attackers leverage AI to convincingly mimic real people, even well-trained users can be fooled.”

The operation begins with a seemingly legitimate Google Meet invitation sent via Telegram. Clicking the link redirects victims to a fake Zoom site, where deepfake versions of their superiors—generated in real time—urge them to install the malicious extension.

Huntress identified eight distinct malware components, including a persistent backdoor written in the obscure programming language Nim and a crypto-focused stealer that scans for digital wallet data. One payload, dubbed “InjectWithDyId,” uses advanced techniques to inject malicious code into trusted macOS applications, a rare feat for Mac-focused espionage tools.

BlueNoroff, a subgroup of North Korea’s Lazarus hacking collective, has long targeted financial institutions and cryptocurrency platforms to fund the regime’s operations. This latest campaign underscores Pyongyang’s growing reliance on AI and social engineering to bypass traditional defenses.

“Layered defenses combining user training, endpoint monitoring, and strict access controls are no longer optional—they’re essential,” Barr said.

As deepfake technology becomes more accessible, experts warn that such attacks will only increase in scale and realism, posing new challenges for businesses already grappling with an evolving threat landscape.