Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A cryptocurrency foundation employee was targeted via deepfake Zoom calls to install malware, highlighting the increasing sophistication of North Korean-linked cyberattacks.
- Incident date
- May 2026
- Target
- unnamed cryptocurrency foundation employee
In May 2026, an employee at an unnamed cryptocurrency foundation was targeted in a sophisticated cyberattack leveraging AI deepfakes. The attack, attributed to BlueNoroff, a threat actor linked to North Korea, involved deceptive Zoom calls designed to trick the employee into installing malware on their macOS device.
What happened
The employee received a message on Telegram from an external contact requesting a meeting. The attacker sent a Calendly link redirecting to a fake Zoom domain. The employee later joined a group Zoom meeting that included deepfakes of senior leadership, along with other external contacts. When the employee reported microphone issues, the synthetic personas urged them to download and install a malicious Zoom extension, shared via Telegram. This extension led to the installation of a Python-based backdoor and other malware, ultimately compromising the employee's system.