CyberSecurity news

FlagThis - #deepfake

@www.huntress.com //

BlueNoroff Uses Deepfakes to Deploy MacOS Backdoor - BlueNoroff APT group employs indicator removal techniques to evade detection after compromising systems, using deepfake Zoom calls to trick victims into installing malware on their macOS devices.
The North Korea-aligned threat actor known as BlueNoroff, also tracked as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, has been observed targeting an employee in the Web3 sector with deceptive tactics. According to research shared by Huntress, these tactics include the use of deepfake Zoom calls featuring synthetic personas of company executives to trick victims into installing malware on their Apple macOS devices. This sophisticated social engineering campaign highlights the evolving techniques employed by threat actors to compromise systems and gain access to sensitive information.

Huntress researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon provided detailed analysis of a recent BlueNoroff intrusion targeting a cryptocurrency foundation employee. The employee was initially contacted via Telegram and enticed to schedule a meeting through a Calendly link. This link redirected the user to a fake Zoom domain controlled by the attackers. During the deepfake Zoom meeting, the employee was prompted to download a malicious Zoom extension, delivered via Telegram, under the guise of a microphone issue fix. This extension, named "zoom_sdk_support.scpt," initiated the malware installation process.

The AppleScript downloaded a payload from a malicious website, disabling bash history logging and checking for Rosetta 2 installation on the compromised Mac. It then proceeded to create a hidden file and download binaries to the "/tmp/icloud_helper" directory, prompting the user for their system password and wiping the history of executed commands to cover their tracks. This intrusion led to the discovery of eight distinct malicious binaries on the victim host, including Telegram 2, Root Troy V4, and InjectWithDyld. The Field Effect Analysis team has also been investigating similar activity related to BlueNoroff.

Recommended read:
References :
  • Know Your Adversary: Huntress has shared the of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes!
  • The Hacker News: BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware
  • Blog: Zoom & doom: BlueNoroff call opens the door
  • www.huntress.com: Inside BlueNoroff Web3 Intrusion Analysis
  • www.csoonline.com: North Korea’s BlueNoroff uses AI deepfakes to push Mac malware in fake Zoom calls. In a novel social engineering campaign, North Korea’s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite.
  • Virus Bulletin: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
  • securityonline.info: North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft
  • cyberpress.org: The Field Effect Analysis team has uncovered a highly sophisticated cyberattack campaign tied to the North Korea-aligned BlueNoroff advanced persistent threat (APT) group, where actors weaponize the Zoom videoconferencing platform as a vector for delivering infostealer malware.
  • gbhackers.com: The Field Effect Analysis team has uncovered a targeted social engineering campaign orchestrated by the North Korean state-sponsored threat actor BlueNoroff, a financially motivated subgroup of the notorious Lazarus Group.
Nicole Kobie@itpro.com //

FBI Warns of AI-Powered Impersonation Scams - The FBI warns of AI-driven impersonation scams using voice clones to impersonate US government officials, employing smishing and vishing to steal sensitive information.
The FBI has issued a warning regarding a major fraud campaign where cybercriminals are using AI-generated audio deepfakes and text messages to impersonate senior U.S. government officials. This scheme, which has been active since April 2025, targets current and former federal and state officials, along with their contacts, aiming to gain access to their personal accounts. The attackers are employing tactics known as smishing (SMS phishing) and vishing (voice phishing) to establish rapport before attempting to compromise accounts, potentially leading to the theft of sensitive information or funds.

The FBI advises that if individuals receive a message claiming to be from a senior U.S. official, they should not assume it is authentic. The agency suggests verifying the communication through official channels, such as calling back using the official number of the relevant department, rather than the number provided in the suspicious message. Additionally, recipients should be wary of unusual verbal tics or word choices that could indicate a deepfake in operation.

This warning comes amidst a surge in social engineering attacks leveraging AI-based voice cloning. A recent report indicated a 442% increase in the use of AI voice cloning between the first and second halves of 2024. Experts caution that the stolen credentials or information obtained through these schemes could be used to further impersonate officials, spread disinformation, or commit financial fraud, highlighting the increasing sophistication and potential damage of AI-enhanced fraud.

Recommended read:
References :
  • Threats | CyberScoop: FBI warns of fake texts, deepfake calls impersonating senior U.S. officials
  • Talkback Resources: Deepfake voices of senior US officials used in scams: FBI [social]
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has released a public service announcement to warn individuals about a growing involving text and voice messaging scams. Since April 2025, malicious actors have been impersonating senior U.S. government officials to target individuals, especially current or former senior federal and state officials, as well as their contacts. The FBI is urging the public to remain vigilant and take steps to protect themselves from these schemes. So let's understand what exactly is happening? The FBI has disclosed a coordinated campaign involving smishing and vishing—two cyber techniques used to deceive people into revealing sensitive information or giving unauthorized access to their personal accounts.
  • www.itpro.com: The FBI says hackers are using AI voice clones to impersonate US government officials
  • The Register - Software: The FBI has warned that fraudsters are impersonating "senior US officials" using deepfakes as part of a major fraud campaign.
  • www.cybersecuritydive.com: Hackers are increasingly using vishing and smishing for state-backed espionage campaigns and major ransomware attacks.
  • Tech Monitor: FBI warns of AI-generated audio deepfakes targeting US officials
  • cyberinsider.com: Senior U.S. Officials Impersonated in AI-Powered Vishing Campaign
  • cyberscoop.com: FBI warns of fake texts, deepfake calls impersonating senior U.S. officials
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has released a public service announcement to warn individuals about a growing involving text and voice messaging scams. Since April 2025, malicious actors have been impersonating senior U.S. government officials to target individuals, especially current or former senior federal and state officials, as well as their contacts.
  • BleepingComputer: FBI: US officials targeted in voice deepfake attacks since April
  • securityaffairs.com: US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials
  • www.techradar.com: The FBI is warning about ongoing smishing and vishing attacks impersonating senior US officials.
  • hackread.com: FBI warns of AI Voice Scams Impersonating US Govt Officials
  • Security Affairs: US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials Shields up US
  • iHLS: The FBI has flagged a concerning wave of cyber activity involving AI-generated content used to impersonate high-ranking U.S. government officials.
Nicole Kobie@itpro.com //

FBI Warns of Deepfake Scams Targeting US Officials - The FBI warns of increasing scams using AI-generated deepfake voice messages and texts to impersonate senior U.S. government officials, tricking victims into revealing sensitive information.
The FBI has issued a warning about a rise in scams targeting U.S. government officials. Cybercriminals are using AI-generated voice clones and text messages to impersonate senior officials. This campaign, which started in April 2025, aims to trick current and former federal and state officials, as well as their contacts, into divulging sensitive information or granting unauthorized access to accounts. These tactics are referred to as "smishing" (malicious SMS messages) and "vishing" (fraudulent voice calls). The FBI is advising the public that if you receive a message claiming to be from a senior U.S. official, do not assume it is authentic.

The attackers use AI to create realistic voice deepfakes, making it difficult to distinguish between real and fake messages. They also leverage publicly available data to make their messages more convincing, exploiting human trust to infiltrate broader networks. The FBI has found that one method attackers use to gain access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform. The use of AI-generated audio has increased sharply, as large language models have proliferated and improved their abilities to create lifelike audio.

Once an account is compromised, it can be used in future attacks to target other government officials, their associates, and contacts by using trusted contact information they obtain. Stolen contact information acquired through social engineering schemes could also be used to impersonate contacts to elicit information or funds. The FBI advises that the scammers are using software to generate phone numbers that are not attributed to specific phones, making them more difficult to trace. Individuals should be vigilant and follow standard security advice, such as not trusting unsolicited messages and verifying requests through official channels.

Recommended read:
References :
  • Threats | CyberScoop: Texts or deepfaked audio messages impersonate high-level government officials and were sent to current or former senior federal or state government officials and their contacts, the bureau says.
  • Talkback Resources: FBI warns of deepfake technology being used in a major fraud campaign targeting government officials, advising recipients to verify authenticity through official channels.
  • www.techradar.com: The FBI is warning about ongoing smishing and vishing attacks impersonating senior US officials.
  • securityaffairs.com: US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials
  • thecyberexpress.com: TheCyberExpress reports FBI Warns of AI Voice Scam
  • www.itpro.com: The FBI says hackers are using AI voice clones to impersonate US government officials
  • BleepingComputer: FBI: US officials targeted in voice deepfake attacks since April
  • The Register - Software: Scammers are deepfaking voices of senior US government officials, warns FBI
  • cyberinsider.com: Senior U.S. Officials Impersonated in AI-Powered Vishing Campaign
  • Tech Monitor: FBI warns of AI-generated audio deepfakes targeting US officials
  • The DefendOps Diaries: The Rising Threat of Voice Deepfake Attacks: Understanding and Mitigating the Risks
  • PCWorld: Fake AI voice scammers are now impersonating government officials
  • hackread.com: FBI Warns of AI Voice Scams Impersonating US Govt Officials
  • iHLS: The FBI has flagged a concerning wave of cyber activity involving AI-generated content used to impersonate high-ranking U.S. government officials.
  • cyberscoop.com: Texts or deepfaked audio messages impersonate high-level government officials and were sent to current or former senior federal or state government officials and their contacts, the bureau says.
  • arstechnica.com: FBI warns of ongoing that uses audio to government officials
  • Popular Science: That weird call or text from a senator is probably an AI scam
@cyberscoop.com //

North Korean Operatives Using AI to Steal Tech Jobs - North Korean operatives are using AI to infiltrate Western companies as IT workers, using AI to cheat on tests and deepfakes to bypass ID checks, posing a significant threat to IT infrastructure and data.
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant and growing threat to IT infrastructure and sensitive data. Security leaders at Mandiant and Google Cloud have indicated that nearly every major company has either hired or received applications from North Korean nationals working on behalf of the regime. These individuals primarily aim to earn salaries that are then sent back to Pyongyang, contributing to the country's revenue stream. Cybersecurity experts warn that this issue is more pervasive than previously understood, with organizations often unaware of the extent of the infiltration.

Hundreds of Fortune 500 organizations have unknowingly hired these North Korean IT workers, and nearly every CISO interviewed has admitted to hiring at least one, if not several, of these individuals. Google has also detected North Korean technical workers within its talent pipeline, though the company states that none have been hired to date. The risk of North Korean nationals working for large organizations has become so prevalent that security professionals now assume it is happening unless actively detected. Security analysts continue to raise alarms and highlight the expansive ecosystem of tools, infrastructure, and specialized talent North Korea has developed to support this illicit activity.

The FBI and cybersecurity experts are actively working to identify and remove these remote workers. According to Adam Meyers, Head of Country Adversary Operations at CrowdStrike, there have been over 90 incidents in the past 90 days, resulting in millions of dollars flowing to the North Korean regime through high-paying developer jobs. Microsoft is tracking thousands of personas and identities used by these North Korean IT workers, indicating a high-volume operation. Uncovering one North Korean IT worker scam often leads to the discovery of many others, as demonstrated by CrowdStrike's investigation that revealed 30 victim organizations.

Recommended read:
References :
  • blog.knowbe4.com: Hundreds of Fortune 500 companies have hired North Korean operatives.
  • Threats | CyberScoop: North Korean operatives have infiltrated hundreds of Fortune 500 companies
  • PCMag UK security: North Koreans Still Working Hard to Take Your IT Job: 'Any Organization Is a Target'
  • cyberscoop.com: North Korean operatives have infiltrated hundreds of Fortune 500 companies
  • WIRED: For years, North Korea has been secretly placing young IT workers inside Western companies. With AI, their schemes are now more devious—and effective—than ever.
  • gbhackers.com: Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives
  • www.scworld.com: Widespread Fortune 500 firm infiltration conducted by North Koreans

Posts

Blogs

Research Tools