Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration, frequently carrying sensitive data and user groups that are wide.
Such platforms gain trust among their users as of their pervasiveness as well as high level of acceptance, enabling the hackers to take advantage of such factors and spread malware, steal information, tap conversations, or even break into various organizations.
Cybersecurity analysts (Patrick Wardle) at Objective-See discovered that North Korean hackers had been actively weaponizing a meeting app, Miro Talk, to target macOS users.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Besides this, the malwarehunterteam also tweeted about this new Mac malware.
A malicious disk image (MiroTalk.dmg), undetected by VirusTotal’s AV engines, was analyzed to reveal its capabilities and North Korean (DPRK) attribution.
The malware, likely part of a job-related phishing campaign, was hosted on a clone of the legitimate Miro Talk site. This tactic aligns with known DPRK hacker methods of targeting victims by posing as job hunters.
The analysis demonstrates how open-source tools like BlockBlock and LuLu can help counter such threats.
The malware’s connection to a previously documented DPRK campaign by Palo Alto Network’s Unit42 suggests an evolving strategy in North Korean cyber operations.
The analysis result of MiroTalk.dmg file is an unsigned 64-bit Intel Mach-O executable named Jami, which was not detected by VirusTotal.
Symbols and strings embedded inside suggest that it could be used for exfiltration, download, and execution with a possible C2 server at 95.164.17.24:1224.
The malware may also target crypto-wallet browser extensions, browser data, and the macOS keychain.
It’s likely to be cross-platform (Qt/QMake), written in Python, and contains malicious Python scripts.
Methods of the executable like setBaseBrowserUrl directly reference sensitive browser paths that indicate complex data collection and exfiltration capabilities.
The Jami executable is malware that tries to access the user’s keychain and steal sensitive browser data to a C2 server (95.164.17.24:1224).
Although the initial attempts to exfiltrate failed, the malware API endpoints are similar to those of BeaverTail, which was previously linked with North Korean hackers.
This implies a shift from JavaScript-based threats to native QT variations that have similar targets like cryptocurrency wallets.
The DPRK-linked C2 server also hosts other payloads including client/5346 which is a Python downloader and InvisibleFerret, a cross-platform backdoor.
These findings link this new malware variant with the earlier campaign of BeaverTail indicating the continued maturity of DPRK cyber capabilities.
The analyzed malware, masquerading as MiroTalk, is a new native variant of BeaverTail.
This new variant is capable of stealing information and executing additional Python-based payloads like InvisibleFerret.
This is evidence of DPRK cyber capability development, as shown by key IoCs like the MiroTalk.dmg file (SHA-256: 0F5F0A3AC843DF675168F82021C24180EA22F764F87F82F9F77FE8F0BA0B7132) C2 server (95.164.17.24).
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…