North Korean cybercriminals are using fake Zoom calls and updates to steal personal data, according to a new warning from Microsoft. The group, known as Sapphire Sleet, targets Apple computer users by posing as job recruiters on LinkedIn, creating fake companies, job ads, and social media content to make the scam appear legitimate.
How the Scam Works
The attackers use social engineering to gain the trust of unsuspecting financial professionals, often offering high-salary jobs. When the victim is asked to join a Zoom call for an interview, no one is on the other end. Instead, joining the call infects their MacBook or iMac with malware that allows the hackers to steal personal data.
Microsoft notes that the scam is not just about the victim's data but also serves as a way to test the security of macOS. 'The actor is likely simply conducting espionage or opportunistic data collection from any successfully compromised system,' the tech giant stated. 'Personal data may not even matter in that context.'
Data Targeted by Hackers
- Telegram messaging data
- Browser data
- macOS keychain
- Cryptocurrency wallets
- Apple Notes
- System logs
Apple and Zoom Respond
Microsoft revealed that it contacted Apple, which added 'platform-level protections' to detect and block the malware. These updates were sent automatically, so users do not need to take manual action. Microsoft thanked the Apple security team for their collaboration and encouraged macOS users to keep their devices updated.
Zoom directed inquiries to its Safety Center and Trust Center, which detail the app's privacy and security tools.
Who Is Sapphire Sleet?
Sapphire Sleet, also known as APT38, is a state-sponsored threat actor directly or indirectly funded by a government. These criminals operate like spies, spending weeks on reconnaissance before striking. Since 2014, they have targeted banks, casinos, and cryptocurrency exchanges across 38 countries. In 2016, they stole nearly £60 million from Bangladesh's central bank. The group is affiliated with the Lazarus Group, which was responsible for the 2014 Sony Pictures hack.
Microsoft emphasizes that as organizations improve technical controls, attackers often exploit human weaknesses. 'Many of the traditional social engineering techniques have remained surprisingly effective,' the company said, citing phishing emails, helpdesk calls, and fake login pages.
Advanced Cyber-Scams
More sophisticated scams include ClickFix, where clicking a fake pop-up installs malware, and 'Adversary-in-the-Middle' attacks, where hackers eavesdrop on victims using web applications to steal passwords or credit card information. These exploits often target Wi-Fi hotspots or trick users into clicking malicious links.
Microsoft warns that the goal is not a specific piece of data but access. 'Once they're in, they take as much as they can and sort out how to use it later,' the company stated. Despite their complexity, these attacks often appear routine and unsuspicious, making them effective. 'At the end of the day, this is about scale. If a technique works even a small percentage of the time, actors will keep using it and refining it until it works better,' Microsoft added.
