Cybercriminals Use Fake Zoom, Teams Calls to Deliver Malware

Hackers are increasinglyusing fake Zoom and Microsoft Teams meetings to trick victims into infecting their own systems with malware.

SEAL says it has blocked 164 malicious domains tied to this operation using MetaMask’s eth-phishing-detect system.

The campaign primarily targets cryptocurrency professionals, Web3 developers, and investors, but its tactics are now expanding toward open-source communities.

Unlike typical phishing attacks, UNC1069 relies on patience and trust. Attackers often gain access to legitimate accounts on platforms like Telegram, LinkedIn, or Slack, then resume real conversations with targets using existing chat history. This makes the outreach appear authentic and highly convincing.

From February 6th, 2026, to April 7th, 2026, the Security Alliance (SEAL) has tracked and implemented a wallet-level block via eth-phishing-detect for 164 domains associated with the Democratic People’s Republic of Korea (DPRK) threat actor group.

Once contact is established, the attacker suggests scheduling a meeting, often using legitimate tools like Calendly. These meetings are intentionally set days or weeks in advance to reduce suspicion and create a sense of normalcy.

Slack workspaces (Source : Security Alliance).
Slack workspaces (Source : Security Alliance).

If compromised accounts are not available, attackers impersonate credible companies or create fake professional environments. They may even build staged Slack workspaces or LinkedIn personas to support their story.

Fake Meetings, Real Deception

At the scheduled time, victims receive a link to what appears to be a Zoom or Microsoft Teams meeting. However, the link points to a lookalike domain controlled by the attackers.

The meeting interface runs entirely in the browser and closely mimics real Zoom or Teams sessions using legitimate SDKs.

On-Call Execution (Source : Security Alliance).
On-Call Execution (Source : Security Alliance).

Victims may even see video feeds of familiar individuals, often taken from public recordings like conference talks or podcasts.

The trick comes when the victim cannot hear the audio. The interface prompts them to fix the issue, while the attacker simultaneously messages them with instructions, such as updating software or running a command.

This real-time interaction is key. The attacker reassures the victim, answers questions, and removes doubt, making the process feel like normal troubleshooting rather than an attack.

Instead of traditional malware downloads, victims are asked to either download a small AppleScript (.scpt) file or paste a command into their terminal.

The visible code appears harmless, but it contains a hidden instruction that retrieves the actual malware from attacker-controlled servers.

This approach avoids triggering common security warnings since no obvious executable is installed initially.

Once executed, the malware assigns a unique ID to the victim’s system, establishes persistence, and begins communicating with command-and-control (C2) servers roughly every 60 seconds.

Powerful Post-Exploitation

After gaining access, attackers can deploy a range of modular tools depending on the target’s value. Observed capabilities include:

  • Credential theft from browsers, crypto wallets, and API keys.
  • Keylogging and session token harvesting, especially for Telegram.
  • Extraction of password manager data, like Keychain or Bitwarden.
  • Replacement of browser extensions with malicious versions.
  • Theft of SSH keys, cloud credentials, and sensitive files.

The malware supports macOS, Windows, and Linux, though macOS remains the primary target due to its popularity in crypto environments.

UNC1069 operators often delay active exploitation after initial infection. Victims may believe the meeting simply failed and continue normal activity, unaware their system is compromised.

The group’s recent link to a supply chain attack involving the npm package “axios” highlights a broader shift toward higher-impact targets, including software maintainers.

Meanwhile, attackers use stolen credentials and sessions to move laterally, targeting the victim’s contacts and expanding the attack through trusted networks.

Security experts warn that verifying meeting links, avoiding terminal commands from untrusted sources, and using endpoint protection tools are critical defenses against this evolving threat.

Related Articles

Back to top button