A new wave of cyberattacks linked to North Korean hackers is turning a seemingly harmless Zoom feature into a powerful tool for stealing cryptocurrency. According to fresh reports from cybersecurity experts at Trail of Bits and the Security Alliance (SEAL), hackers aligned with Pyongyang are abusing Zoom’s “Remote Control” function to install malware on the devices of unsuspecting crypto traders and venture capitalists.
These attackers have crafted an elaborate ruse. Posing as venture capitalists from a fake firm named Aureon Capital, they lure targets with press inquiries or podcast invites. A Calendly link is often the first step, leading victims into what appears to be a legitimate Zoom call. But the real goal is far more malicious.
Once on the call, the attackers ask the target to share their screen to discuss a potential collaboration or investment. During the meeting, they subtly request remote control of the victim’s computer—exploiting Zoom’s built-in functionality. In a clever trick, they change their display name to “Zoom,” making the remote access pop-up look like a standard system notification. One careless click is all it takes.
That click hands them full keyboard and mouse control.
From there, malware is quickly deployed. SEAL reports that this software acts either as an infostealer—immediately siphoning sensitive data—or as a full remote access trojan (RAT), allowing attackers to monitor and extract information later. In many cases, they target browser sessions, password managers, and cryptocurrency seed phrases, making off with wallets and private data. SEAL’s records show millions of dollars in thefts linked to this campaign, which they’ve named “Elusive Comet.”
What makes this attack particularly insidious is how it blends into familiar workflows. According to Trail of Bits, even experienced users let their guard down when inside everyday tools like Zoom. Unlike traditional remote desktop tools, Zoom’s interface doesn’t clearly indicate when a malicious actor is making a request. The simplicity of the dialog, coupled with the trust users place in the platform, is a key part of the con.
“This isn’t about breaking code,” Trail of Bits explained. “It’s about exploiting habits—those unconscious approvals users give to software they trust.”
In fact, their own CEO was targeted in such a phishing attempt, approached via social media by profiles pretending to be Bloomberg producers. The attackers insisted on Zoom, sent last-minute links, and avoided email communication—all red flags. A closer look revealed that the Zoom links were from personal, not enterprise accounts.
The implications go beyond this one campaign. Trail of Bits believes this marks a broader trend—human error and social engineering are now greater threats than technical vulnerabilities in the crypto world. They pointed to the $1.5 billion Bybit breach as another example of how attackers exploit workflows, not just software.
Zoom does offer ways to disable or restrict the Remote Control feature, especially at the administrative level. However, many corporate users still have it enabled by default. Worse, the platform doesn’t provide clear visual cues to distinguish between legitimate system prompts and spoofed ones, making it easier for these attacks to succeed.
To counter the threat, Trail of Bits has blocked the feature across its systems and recommends others do the same. By targeting the macOS accessibility settings that allow remote control, companies can cut off this attack vector without sacrificing video conferencing capabilities.
The takeaway? In today’s threat landscape, it’s not just your software that needs protecting—it’s your habits.
