North Korean Hackers Deploy Fake Zoom Plugins in Espionage Campaign

North Korean Hackers Deploy Fake Zoom Plugins in Global Espionage Campaign

Nation-State Cyber Operations, Cyber News / By

Overview

In a chilling escalation of cyber warfare, North Korean hackers have launched a global espionage campaign leveraging fake Zoom plugins. These deceptive plugins are being used to infiltrate defense contractors, government entities, and critical infrastructure organizations worldwide. Security researchers have traced this campaign back to APT37, also known as Reaper or ScarCruft, a notorious North Korean state-sponsored threat group.

Key Facts

  • Threat Actor: APT37 (North Korean state-sponsored group)
  • Attack Vector: Malicious Zoom plugin mimicking legitimate video conferencing software
  • Targeted Sectors: Government, defense, telecom, and critical infrastructure
  • Malware Used: Known payloads like ROKRAT and Dolphin
  • Motivation: Espionage and intelligence gathering
  • Discovery: Identified by multiple security research teams in early June 2025
  • Geographic Scope: Victims reported across the US, South Korea, and parts of Europe

What’s Verified and What’s Still Unclear

Confirmed:

  • The fake Zoom plugin delivers malware once installed.
  • APT37 is using phishing emails to distribute the plugin.
  • Targeted victims include defense contractors and telecom operators.
  • The malware captures screen recordings, keystrokes, and system information.

Unclear:

  • The total number of compromised organizations.
  • Whether the campaign is still active or paused.
  • If Zoom’s infrastructure was compromised or just spoofed.

Timeline of Events

  • May 2025: Initial phishing attempts using Zoom-themed lures detected.
  • June 3, 2025: First technical analysis published by private cybersecurity firm.
  • June 8, 2025: US and South Korean governments issue joint advisory.
  • June 15, 2025: Additional payloads and IOC (Indicators of Compromise) released.
  • June 20, 2025: The campaign is publicly attributed to North Korea’s APT37.

Who’s Behind It?

The cyber espionage operation is attributed to APT37, a threat group linked to the North Korean regime. Known for cyber attacks aligned with Pyongyang’s geopolitical interests, the group has previously targeted South Korean ministries, journalists, and think tanks.

APT37 operates under North Korea’s Ministry of State Security and has a history of exploiting zero-days, using spear-phishing, and developing malware customized to its targets. Their operations are typically stealthy, leveraging social engineering tactics that are difficult to detect in their early stages.

Public & Industry Response

  • Zoom has confirmed that its core platform is secure and not compromised.
  • US-CERT, CISA, and KISA have issued detailed mitigation steps.
  • Cybersecurity vendors have updated threat detection rules to flag the malicious plugin.
  • Public institutions are conducting urgent internal audits and vulnerability scans.
  • Threat intel communities are collaborating to map and share new IOCs.

What Makes This Attack Unique?

Unlike conventional malware campaigns, this attack cleverly disguises itself within a widely trusted platform—Zoom, which gained massive global traction during the pandemic. Users are more likely to install updates or plugins for Zoom, making them vulnerable to social engineering.

Furthermore, the malware is modular and stealthy, capable of evading many endpoint detection solutions by mimicking legitimate processes. This is a strategic shift in North Korean hackers’ TTPs (Tactics, Techniques, and Procedures), focusing on digital trust exploitation.

Understanding the Basics

What is a Fake Zoom Plugin Attack?
A fake Zoom plugin attack involves social engineering where a victim is tricked into downloading a plugin that appears legitimate but is laced with malware. Once installed, the malware exfiltrates sensitive data or establishes persistent remote access.

How It Works

  1. Victim receives an email with a fake Zoom update link.
  2. Clicking it downloads a plugin from a spoofed Zoom domain.
  3. Installation triggers malware deployment.
  4. Malware records system activities and sends data back to a C2 (Command and Control) server.

What Happens Next?

Experts anticipate that this campaign may evolve into:

  • More sophisticated variants that spoof other platforms like Teams or Google Meet.
  • Wider phishing distribution across different sectors.
  • Increased geopolitical tension, particularly in East Asia and the West.

Cybersecurity agencies urge organizations to:

  • Conduct employee awareness training.
  • Verify all software updates from official sources only.
  • Enable multi-factor authentication (MFA).
  • Monitor for unusual outbound traffic and endpoint behavior.

Summary

The North Korean hackers’ deployment of fake Zoom plugins represents a potent example of modern cyber espionage. With rising tensions and increasing reliance on digital communication tools, these kinds of state-sponsored threats are becoming more frequent and dangerous.

Organizations must remain vigilant, invest in proactive threat detection, and foster a cybersecurity-first culture to counter such sophisticated threats.