• Cyber Syrup
  • Posts
  • North Korean Hackers Exploit Zoom Feature to Steal Cryptocurrency

North Korean Hackers Exploit Zoom Feature to Steal Cryptocurrency

North Korean hackers are exploiting a legitimate Zoom feature to deploy infostealer and remote access trojan (RAT) malware on the devices of cryptocurrency investors and traders.

April 22, 2025

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

North Korean Hackers Exploit Zoom Feature to Steal Cryptocurrency

A recently uncovered cyber campaign, dubbed Elusive Comet, reveals that North Korean hackers are exploiting a legitimate Zoom feature to deploy infostealer and remote access trojan (RAT) malware on the devices of cryptocurrency investors and traders.

According to separate advisories from Security Alliance (SEAL) and cybersecurity firm Trail of Bits, the attackers are posing as venture capitalists or media professionals to lure victims into seemingly innocuous Zoom calls. Once in the meeting, they deploy a sophisticated social engineering technique to quietly gain control of the victim’s computer.

A Deceptive Entry Point: Fake Podcast and Investment Invitations

The attack chain typically begins with a phishing outreach. Victims receive messages via email or social media, often disguised as invitations to appear on a podcast or pitch to investors affiliated with a fabricated firm called Aureon Capital.

If the target engages, they are sent a Calendly link to schedule a Zoom meeting. The attackers often delay sending complete meeting details until the last minute to induce urgency and lower suspicion.

Once the victim joins the Zoom call, they are asked to share their screen—a common step during business presentations. During this screen sharing, the attacker sends a request to remotely control the victim’s computer, exploiting Zoom's Remote Control feature.

Zoom Remote Control: A Tool Turned Weapon

The Zoom Remote Control feature allows meeting participants to share control of their screens with others—intended for collaborative tasks, not remote system administration.

In the observed attacks, hackers rename themselves to “Zoom” in the meeting participant list. This makes their request for remote access appear as a legitimate system notification, blending seamlessly with other familiar Zoom prompts.

“One careless click is all it takes,” SEAL warned. “Users who are accustomed to approving Zoom notifications may inadvertently grant full mouse and keyboard control to the attacker.”

Once control is granted, malware is silently installed. SEAL identified multiple types of malware, including data-dumping loaders and full-featured RATs capable of exfiltrating browser session tokens, saved passwords, and cryptocurrency wallet seed phrases.

Millions in Losses and Dozens of Fake Personas

SEAL's investigation has linked this campaign to millions of dollars in financial losses. Nearly 30 fake social media accounts and multiple professional-grade websites have been traced back to the group to give the Aureon Capital identity a veneer of legitimacy.

Trail of Bits encountered the tactic firsthand when two fake X (formerly Twitter) accounts posing as Bloomberg producers attempted to lure their CEO into a Zoom meeting for a supposed "crypto segment." The attackers insisted on Zoom communication, refused to switch to email, and used consumer-grade Zoom links, further indicating foul play.

The Real Risk: Familiarity Breeds Vulnerability

Trail of Bits outlined the four-step process used in these attacks:

  1. The attacker schedules a seemingly legitimate Zoom meeting.

  2. During screen sharing, they request remote control access.

  3. They disguise their identity by renaming themselves to “Zoom.”

  4. Upon approval, they install malware and exfiltrate data.

Critically, Zoom’s remote control dialog lacks clear visual indicators to help users differentiate between legitimate system notifications and third-party requests. According to Trail of Bits, this UI ambiguity is the true danger.

“The interface design creates a false sense of trust,” Trail of Bits said. “Users habituated to clicking ‘Approve’ on Zoom prompts may not realize they’re granting full access to a threat actor.”

Organizational Controls and Mitigation

While Zoom documentation states that the Remote Control feature should be used only under supervised conditions, it is enabled by default in many enterprise accounts. Few organizations take steps to restrict or monitor its use.

Trail of Bits recommends that companies:

  • Disable Zoom Remote Control at the admin level

  • Lock down clipboard-sharing functionality, a method used to move wallet keys

  • Implement technical controls to block Zoom from initiating remote access via OS-level accessibility permissions

“We now consider Zoom’s remote control functionality an unnecessary risk,” the company stated. “By disabling the accessibility layer that supports it, we neutralize the threat without compromising collaboration.”

The Bigger Picture: A Shift in Cyberattack Strategies

The Elusive Comet campaign underscores a broader trend: attackers are increasingly targeting human behavior and interface weaknesses rather than exploiting code-based vulnerabilities. This mirrors high-profile attacks such as the $1.5 billion Bybit hack, where operational workflows were manipulated instead of software.

As SEAL and Trail of Bits emphasize, protecting against these attacks requires not only strong technical defenses but also user education and awareness. Organizations must evolve to meet this new era of human-centric cybersecurity threats.