How Fake Zoom and Teams Calls Are Tricking Crypto Devs into Downloading Malware

A sophisticated fake Zoom Teams malware campaign is actively targeting cryptocurrency professionals and Web3 developers by hijacking trusted conversations. Operating under the UNC1069 threat group, these attackers bypass traditional security filters by tricking victims into manually executing malicious terminal commands during fabricated video calls.

The Security Alliance (SEAL) recently identified and blocked 164 malicious domains tied to this Democratic People's Republic of Korea (DPRK) operation. Using MetaMask's eth-phishing-detect system, researchers tracked the campaign between February 6 and April 7, 2026. While initially focused on crypto investors, the attackers are now expanding their reach to open-source communities, recently linking to a supply chain attack involving the npm package axios.

Unlike standard phishing attempts, UNC1069 relies on extreme patience and established trust. The attackers compromise legitimate accounts on platforms like Telegram, LinkedIn, or Slack, and seamlessly resume existing chat histories. Once the target feels comfortable, the hacker schedules a meeting days in advance using legitimate tools like Calendly to establish a false sense of normalcy.

At the scheduled time, the victim receives a link to a lookalike domain that perfectly mimics a real Zoom or Microsoft Teams interface directly in the browser. The attackers even broadcast pre-recorded video feeds of familiar individuals pulled from public conferences or podcasts. The trap springs when the victim realizes they cannot hear any audio.

Under the guise of real-time IT troubleshooting, the attacker messages the victim with instructions to fix the fake audio issue. Instead of a traditional executable file, the victim is instructed to download a small AppleScript (.scpt) file or paste a specific command directly into their terminal. Because the user manually executes the command, it bypasses standard security warnings and silently retrieves the actual malware from a command-and-control (C2) server.

Once the system is infected, the malware assigns a unique identifier to the machine and establishes persistence, pinging the C2 server every 60 seconds. The attackers then deploy modular tools tailored to the specific value of the compromised target. While the malware supports Windows and Linux, macOS remains the primary target due to its heavy usage within the Web3 development community.

The post-exploitation capabilities are devastating for digital asset holders. Observed extractions include:

• Credential theft from browsers, crypto wallets, and API keys.
• Keylogging and session token harvesting, specifically targeting Telegram.
• Extraction of sensitive data from password managers like Keychain and Bitwarden.
• Replacement of legitimate browser extensions with malicious variants.
• Theft of SSH keys and cloud infrastructure credentials.

Because this attack relies on social engineering rather than software exploits, human verification is your strongest defense. Security experts recommend implementing strict protocols for any external communications.

• Verify Meeting URLs: Always check the domain name in your browser address bar before joining a Zoom or Microsoft Teams call, ensuring it is the official platform link.
• Never Run Unverified Commands: Treat any request to open the terminal or execute an AppleScript (.scpt) file during a meeting as a severe security threat.
• Use Endpoint Protection: Deploy advanced endpoint detection tools that monitor for unusual terminal activity or unauthorized command-and-control communications.

The UNC1069 campaign represents a terrifying evolution in social engineering, proving that human trust is still the most vulnerable attack vector. By hijacking existing Slack and Telegram threads, these DPRK-linked hackers bypass the initial skepticism that usually accompanies cold-outreach phishing. The fact that they are willing to wait weeks for a scheduled Calendly meeting shows a level of operational patience typically reserved for high-level espionage.

Furthermore, the pivot toward open-source maintainers, evidenced by the npm package axios compromise, signals a dangerous shift in strategy. If attackers can compromise a single developer with commit access to widely used repositories, the blast radius extends far beyond a single stolen crypto wallet. Organizations must move beyond basic phishing simulations and train their teams to recognize the subtle red flags of real-time, interactive deception.