North Korean cryptocurrency thieves are quietly repurposing a little‑known Zoom Remote collaboration feature to plant infostealer malware on the workstations of cryptocurrency traders and venture investors.
According to separate advisories from the non‑profit Security Alliance (SEAL) and cybersecurity research firm Trail of Bits, Pyongyang hackers posing as VC investors have been caught sending phishing lures with Calendly links to Zoom meetings.
The campaign, tracked by SEAL as Elusive Comet, begins with a standard press‑relations pitch or a direct message inviting the target to appear on a podcast run by Aureon Capital.
If the victim takes the podcast appearance bait, the hackers schedule a call over Zoom to learn more about the potential victim’s work, sometimes withholding meeting details until the very last minute in order to induce additional urgency.
“Once the potential victim has joined the call, they are prompted to share their screen to present their work. At this point, [the hackers] will use Zoom to request control over the potential victim’s computer. If the potential victim is not paying close attention, they may accidentally grant remote access, which allows Elusive Comet to install their malware to the victim’s device,” according to the SEAL alert.
The alliance said the malware is capable of acting as an infostealer that immediately exfiltrates relevant secrets, or a RAT (remote access trojan) that allows for exfiltration at a later time.
The Zoom Remote Control feature allows one computer user to take control of another participant’s screen in a meeting when they’ve given explicit permission.
In the observed attacks, the hackers change their display name to “Zoom” that masks a permission dialog from another participant into what looks like an innocuous system pop‑up.
One hasty click gives the intruder full mouse‑and‑keyboard access, after which a malware installer (SEAL has spotted both data‑dumping loaders and full remote‑access Trojans) lands and begins trawling browser sessions, password managers and seed phrases.
SEAL’s incident log attributes “millions of dollars” in losses to the operation and lists nearly thirty sock‑puppet social‑media accounts and a handful of slick corporate websites used to give the fake Aureon Capital an air of legitimacy.
Cybersecurity consulting firm Trail of Bits said it encountered the ruse first-hand when two X social media profiles posing as Bloomberg producers tried to book the company’s chief executive for a “Crypto” segment.
Trail of Bits said the threat actor refused to switch to email, pushed late‑breaking meeting links and supplied Zoom URLs that, on inspection, belonged to consumer‑grade accounts rather than Bloomberg’s enterprise tenant.
In a blog post documenting the case, Trail of Bits said a successful exploit hinges on Zoom’s reliance on macOS “accessibility” permissions and a “simple yet effective social engineering” four-step trickery:
The attacker schedules a seemingly legitimate business call.
During screen sharing, they request remote control access.
They change their display name to “Zoom” to make the request appear as a system notification.
If granted access, they can install malware, exfiltrate data, or conduct
Zoom’s documentation makes clear that Remote Control was never meant for unsupervised administration; it is an “in‑meeting” convenience that any host can disable at the account, group or user level. Administrators can also lock the setting and remove the clipboard‑sharing option that attackers exploit to shuttle private keys between machines.
However, in practice, the toggle remains on by default for many corporate tenants, and the permission dialog offers no visual cue that the request is anything other than a routine Zoom process.
Trail of Bits argues this interface ambiguity is the exploit’s real power: security‑savvy professionals who would balk at a traditional remote‑desktop prompt seldom recognize the risk in a familiar collaboration tool.
“What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications. Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their computer without realizing the implications,” Trail of Bits warned.
The company said the observed methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities.
“This reinforces our perspective that the blockchain industry has entered the era of operational security failures, where human-centric attacks now pose greater risks than technical vulnerabilities,” the company added.
Trail of Bits said its security team has marked the Zoom remote control feature as “an unnecessary risk” and deployed technical controls to prevent it from functioning on its computer systems.
“By specifically targeting the accessibility permissions that enable remote control, we close the attack vector that Elusive Comet exploits without disrupting legitimate videoconferencing functionality,” Trail of Bits said.
Related: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge
Related: $1.5 Billion Bybit Heist Linked to North Korean Hackers
Related: Bybit Hack Drains $1.5 Billion From Cryptocurrency Exchange
Related: Lazarus Uses ClickFix Tactics in Fake Cryptocurrency Job Attacks
