North Korean-linked fake Zoom/Teams calls install wallet‑stealing malware

Security Alliance (SEAL) and MetaMask researcher Taylor Monahan report a widespread wave of social‑engineering attacks tied to North Korean‑linked groups that use staged Zoom and Microsoft Teams calls to deliver Remote Access Trojans (RATs) and other malware. Attackers contact targets on Telegram from compromised or familiar accounts, schedule meetings (often via Calendly), and present pre‑recorded video or real stolen footage to impersonate known contacts. During calls they prompt victims to install an “audio patch” or SDK update; the file contains malware that gives remote access to devices and can exfiltrate passwords, Telegram sessions, documents and private keys. Variations of the campaign — including fake job applications and staged interviews — have been linked to more than $300 million in crypto losses and are attempted multiple times daily across the sector. SEAL and Monahan warn that reused stolen Telegram accounts accelerate the campaign by reaching existing contact lists. Recommended trader defenses: treat unexpected meeting links and urgent patch requests as high risk, never execute files received in calls, enable strong passwords and 2FA, move funds to clean wallets using uncompromised devices, and, if compromise is suspected, disconnect Wi‑Fi and power down to interrupt exfiltration. The advisory frames these human‑centric video‑call malware attacks as a top operational risk for crypto firms and individuals, because compromised endpoints and leaked private keys can produce rapid wallet drains and significant financial loss.