Phantoms in the Waiting Room: North Korean Hackers Host Fake Zoom and Teams Calls to Breach Crypto Defenses

It starts with a friendly ping on LinkedIn or a casual message on Slack. Maybe it’s a familiar face - or at least, someone who looks like one. You’re invited to a business call about a new partnership or open-source project. The meeting link looks ordinary enough, perhaps even scheduled weeks in advance. But when you join, you’re not just dialing into a video chat - you’re stepping into a carefully laid trap set by one of the world’s most dangerous cybercrime syndicates.

The Anatomy of a Browser-Based Heist

The Security Alliance (SEAL) has uncovered a chilling new evolution in cybercrime: North Korean hackers, operating under the banner of UNC1069 (also known as BlueNoroff), have abandoned clumsy phishing emails and instead orchestrate browser-based ambushes. Their targets? Cryptocurrency firms and open-source developers, whose digital assets are both lucrative and just a click away.

SEAL’s investigation reveals a sophisticated playbook. Hackers first scout their victims on platforms like Telegram, LinkedIn, and Slack, often hijacking real accounts to weave themselves seamlessly into ongoing conversations. By reading previous messages, they can mimic trusted contacts, making their requests appear routine.

Unlike traditional attacks that rely on urgent download prompts, these actors play the long game. They schedule “business meetings” using tools like Calendly, sometimes weeks in advance. This calculated patience allays suspicion and lowers defenses. When the meeting finally arrives, the victim is asked - casually - to download a tiny script or run a command in their terminal. Unbeknownst to them, this simple action triggers a hidden download from a malicious domain, unleashing malware designed to harvest everything from saved browser passwords to cryptocurrency wallet files.

SEAL reports that once the malware is installed, it can record keystrokes, steal cloud service passwords, and even replace safe browser extensions with malicious clones. The attackers also snatch session tokens for messaging apps like Telegram, allowing them to hijack more accounts and expand their reach. In a recent breach, they used stolen credentials to compromise “axios” - a widely used open-source package - threatening software supply chains worldwide.

The group’s infrastructure is sprawling. SEAL blocked 164 domains - including lookalikes like “micrusoft[.]us” and “teamsync[.]live” - hosted by popular providers, making them difficult to proactively filter. Their tools work across macOS, Windows, and Linux, showing a level of technical proficiency that blurs the line between state-sponsored espionage and high-stakes cybercrime.

A New Era of Social Engineering

This campaign signals a dangerous shift: browser-based meeting lures are now a frontline threat. No longer content with crude phishing, groups like UNC1069 are blending into the fabric of business operations, exploiting both technology and trust. As open-source software and cryptocurrency become more entwined with daily commerce, the consequences of such breaches grow ever more severe. For now, vigilance, skepticism, and technical safeguards remain the best defense against these digital phantoms lurking in our calendars.

WIKICROOK

• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Session Token: A session token is a unique digital code that keeps users logged in to websites or apps. If stolen, attackers can access accounts without a password.
• Script File: A script file contains commands to automate tasks or execute programs, often used in system administration or, if misused, for cyberattacks.
• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
• Browser Extension: A browser extension is a small add-on that enhances browser features but can also be misused by hackers to steal data or spy on users.