June 11, 2025 Incident: Huntress received contact about an end user potentially downloading a malicious Zoom extension. Installing the Huntress EDR agent revealed the intrusion. It was attributed to North Korean (DPRK) APT subgroup TA444.

• Initial access: An employee at a cryptocurrency foundation received a Telegram message with a Calendly link to a fake Zoom domain. During a Zoom meeting with deepfakes, they were told to download a Zoom extension. The downloaded file was an AppleScript named zoom_sdk_support.scpt.
• Technical analysis: Recovered 8 malicious binaries. Telegram 2 (Nim) was the persistent implant. Root Troy V4 (Go) was a backdoor used to download and execute other implants. InjectWithDyld (C++) was a binary loader. Other binaries included a keylogger (XScreen), an infostealer (CryptoBot), and more.
• Decrypted payloads: Nim Implant (Trojan 1) for command interaction and a base app.
• Keylogger: XScreen (keyboardd) collected keystrokes, clipboard, and screen.
• Infostealer: CryptoBot focused on cryptocurrency theft.

IOCs:

• Files: SHA256 hashes and names of various malicious files.
• Infrastructure: IP addresses of malicious domains like safeupload.online, metamask.awaitingfor.site/update, etc.