Barr believes the attackers have significantly stepped up their game, making detection harder than ever. “For years, the industry has leaned on the phrase ‘users are the weakest link’, but in cases like this, that narrative is both outdated and unfair,” he said. “When attackers are leveraging AI to convincingly mimic real people and applications appear properly signed and notarized, we can’t reasonably expect even well-trained users to make the right call every time.”
North Korean threat groups are well known for using social engineering, such as tricking job seekers to gain access to targets. One of their most notable campaigns, “Contagious Interviews,” saw attackers (the Kimsuky group) pose as recruiters offering fake job interviews to professionals. During these calls, they shared malware-laced files disguised as assessments, allowing them to steal credentials and establish long-term access.
“WE attribute with high confidence that this intrusion was conducted by the North Korean (DPRK) APT subgroup tracked as TA444 aka BlueNoroff, a state-sponsored threat actor known for targeting cryptocurrencies stemming back to at least 2017,” Huntress researchers said.
Campaign delivers modular, persistent, Mac-specific malware
Huntress recovered a total of eight distinct malicious binaries, each with specific tasks. The primary implant, ‘Telegram 2’, was written in Nim and embedded itself as a macOS LaunchDaemon to maintain persistence. It acted as a launchpad for the real power tools, including Go-based ‘Root Troy V4’ backdoor and “CryptoBot”, a dedicated crypto stealer that hunted for wallet data across 20+ Web3 plugins.
