Executive Summary

Huntabil.IT was engaged on the 22nd of April to assist an organisation in responding to a cybersecurity incident. During this engagement we discovered an ongoing campaign targeting web3 organisations via social engineering to gain initial access and perform initial data theft of targeted applications. Huntabil.IT immediately started investigating the incident, and quickly identified that this is likely a widespread campaign targeting web3/crypto organisations. Since warning other Huntabil.IT ThreatOps customers in the web3 space of the techniques used in this campaign we have identified at least one other customer being targeted within the last 48 hours. As a result we are publishing urgently publishing this hunting note prior so that organisations can take effective action against this threat.

The threat actor, likely directed/sponsored by North Korea, impersonated trusted contact via Telegram and directed the target to book a meeting via Calendly. This resulted in an email that contained a link about ensuring Zoom is up to date, and to run a script to ensure the Zoom SDK is updated. The threat actor was aware that the targeted victim was using macOS and all of their mach-o where compiled to support both ARM (Apple Silicon) and x86 based macs.

The targeted user was direct to a page that tasked them to troubleshoot the Zoom Meeting SDK on their machine.

The threat actor also helpfully provided an Apple Script. Executing either script resulted in the script calling out to command & control servers with details of the machine and all running applications, and it then downloaded additional malware for persistence. The malware then looks for and uploads sensitive data to their command & controls servers. The threat actor appears to be using different scripts to steal the data based on our analysis as we found one for the basic data (browsers, shell history) and a seperate one dedicated to Telegram. The data that we have identified so far as being targeted includes:

• Browser Data (cookies, sessions, bookmarks) for:
  • Chrome
  • Edge
  • Safari
  • Arc
  • Brave
• Apple Keychains
• Apple Notes
• Bash History
• Zsh history
• Telegram data (messages, encryption keys etc)
  Due to the highly modular nature of the data theft tooling, and our ongoing analysis it is likely that other applications would be targeted based on what the installed applications are. Separately the script also drops malware that will sit there for persistence, making calls out to seperate command & control servers.

Based on the sophisticated social engineering, targeting and impersonation of web3 people and organisations, and targeted data theft it does appear to be aligned with known threat actors operating for North Korean interests.

We strongly recommend organisations in the web3 space consider:

• Deploying a EDR for threat prevention and if needed post incident analysis
• Utilise application allow listing to prevent execution of unknown executables.
• If possible consider utilising a locked down iPad or similar for video conferencing with externals as it has a reduced attack surface.
• Ensuring you utilise dedicated hardware for treasury operations.

Huntabil.IT believe this is an information gathering exercise, and if it goes undetected the ongoing access will be utilised to further compromise the target environment, and likely target treasury operations. So far all the targeted users are part of the team that performs treasury operations or would appear to be part of that team. The data gathered from telegram chats would also be highly valuable intelligence to the threat actor, enabling to better impersonate trusted contacts through a deep understanding of the chat histories.

Background

The targeted organisation is a web3 startup that communicates extensively via Telegram. This campaign aligns with a similar Zoom-based attack described in the Coinfomania report, where an attacker stole US$100 K via a very similar fake Zoom-update lure. The threat actor is very familiar with macOS and utilising a combination of custom malware and native capabilities to find, copy and then exfiltrate data as well as maintaining persistence.

Incident Details

Initial Access

On 21 April 2025, the victim received a Telegram message from an actor impersonating a staff member at Gumi Cryptos, a web3 venture capital firm. The message contained convincing context and directed the victim to schedule a call via Calendly. The threat actor was able to share intimate knowledge of the target victim and communications with other trusted contacts to build legitimacy. Shortly after, the victim received an email confirming the booking, which instructed them to update the Zoom SDK by running an AppleScript file (zoom_sdk_support.scpt) downloaded from a typosquatted domain: support.us05web-zoom[.]pro. Under pressure and believing the request genuine, the user executed the script.

Execution & Persistence

The first-stage AppleScript launched the genuine Zoom SDK support page as a cover. If inspected the script looked like a genuine troubleshooting script with it calling out to do some network connectivity checks and then calling out to fetch a second-stage script from hxxps://support.us05web-zoom[.]pro/update/<random numbers> under the pretence that it was a fix. Running from /var/private/tmp, this script dropped a Mach-O binary named a into ~/Library/DnsService, attempting to masquerading as a legitimate DNS service. Inside a was an embedded, base64-encoded trojan called netchk, which was decrypted and dropped by a when it was executed with the destination file name and decryption key as parameters. It appears to be using PBKDF2 to derive the key. When executed, netchk performed system discovery and then download 2 scripts via curl -k bypassing certificate validation for an invalid cert, and it included custom authentication headers. The two bash scripts—upl and tlgrm—from hxxps://dataupload[.]store/. Once made executable, upl collected browser cookies, sessions, bookmarks across Chrome, Edge, Safari, Arc, and Brave; Apple Keychains; Apple Notes; and Bash and Zsh histories. It zipped the data in /private/tmp and exfiltrated it. Meanwhile, tlgrm harvested Telegram messages and encryption keys, compressed them, and sent them to the same C2 domain. Both scripts made heavy use of thefind and ditto commands to find and then copy the data of interest. The script was also careful to ensure it iterated over every browser profile present on the system.

The script then unpacked a zip archive called user_migaration.zip (sic) containing another Mach-O binary named installer. This binary deployed two persistence agents: CoreKitAgent at ~/Library/CoreKit/CoreKitAgent and a fake macho file called GoogIe LLC, that most terminals render as “Google LLC”, placing it under ~/Library/Application Support/Google LLC/. The installer also attempted modified ~/Library/LaunchAgents/com.google.update.plist to auto-start on login.

Finally, CoreKitAgent ran an AppleScript called .ses from it’s own directory, that collected system information—installed applications and proxy configurations—and sent it via HTTPS to hxxps://safeup[.]store/test and hxxps://writeup[.]live/test.

Throughout the chain of event the threat actor was careful to impersonate trusted services, or look very similar to known services that one would expect to see. They also deleted any unnecessary files, and used encryption in some of their malware to make analysis more difficult. It was a highly targeted incident, with some of the infrastructure used in the incident appearing only 24 hours before the incident occurred. Based on our initial analysis of differing coding patterns, obfuscation and encryption within the mach-o files it is likely that there is a larger team, or multiple teams involved in the attack rather than a single individual. The contents and obfuscation used in the 2 sets of malware was quite significant, making it less likely that a single person, or even team created both sets.

The whole data exfiltration was also very rapid from initial execution to final upload, the attack was completed in under 10 minutes.

Detection & Response

Detections

We would recommend detecting and preventing the download of any mac script files in the ~/Downloadsdirectory, additionally osascript spawning curl is a strong indication.

title: Detect osascript Spawning curl
id: 7b3f5e22-1a9d-4a5e-9c6a-0f2d8f4a1c2e
status: experimental
description: |
  AppleScript (`osascript`) is sometimes abused by attackers to execute arbitrary shell commands.
  This rule flags any instance of osascript creating a curl process, which can indicate
  suspicious data exfiltration or malware stage-loading.
author: Raymond Schippers (@HuntabilIT)
references:
  - https://github.com/SigmaHQ/sigma
  - https://attack.mitre.org/techniques/T1059/001/    # AppleScript
tags:
  - attack.execution
  - attack.t1059.001
  - macos
  - process_creation

logsource:
  product: macos
  category: process_creation

detection:
  selection:
    process.parent.executable|endswith: 
      - '/usr/bin/osascript'
      - '/bin/osascript'
    process.executable|endswith: 
      - '/usr/bin/curl'
      - '/bin/curl'
      - 
  condition: selection

falsepositives:
  - Legitimate AppleScript workflows that invoke curl for automation
  - CI/CD scripts on Mac build agents

level: high

Additionally detecting the use of ditto at large volumes (>5 per second) would have triggered on this. Finally processes accessing Apple Keychains, Browser Directories should be a critical alert.

Response Actions

It is important to react quickly, especially as session cookies have been taken.

• Immediate containment:
  • Revoke all active sessions for the user,
    • focus on treasury operations, internal communication platforms (Slack), and code repositories.
  • Isolate and network contain the impacted device
• Eradication & recovery:
  • Reset passwords
  • Verify no new devices have been connected to Telegram or Apple Accounts
  • Wipe and rebuild the machine

Recommendations & Mitigations

• Short-term controls:
  • Have an outbound of band process to verify trusted contacts
  • Consider using PGP to be able to verify points of contacts
  • Deploy an EDR like SentinelOne
• Long-term improvements:
  • Implement anomaly detection
  • Endpoint hardening
  • Application Allow listing

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques & Attack Flow

About Huntabil.IT
Huntabil.IT is a cyber security consulting organisation focused on threat intelligence-led security solutions. We help organisations understand their adversaries and proactively defend against emerging threats.