In the high-stakes ecosystem of Web3 and venture capital, meeting requests have become routine. But threat actors — including groups attributed to DPRK — are exploiting this normalcy through sophisticated social engineering attacks disguised as video calls.
The Attack Vector
The campaign begins with impersonation. Threat actors pose as legitimate professionals — venture capitalists, recruiters, journalists, or potential partners — and reach out requesting discovery meetings or investment discussions.
The lure is simple: a request to download a “custom high-security AI Video Conferencing tool” for the call. The downloaded file is actually a Remote Access Trojan (RAT).
Primary Targets
- Software developers with access to sensitive codebases
- Venture capitalists and investment professionals
- C-suite executives and founders
- Cryptocurrency holders with significant assets
The “No Sound” Psychological Tactic
The attack exploits a common frustration — technical difficulties during video calls. Here’s how it unfolds:
- The victim joins what appears to be a legitimate call interface
- Audio mysteriously fails — they can see the other “participants” but hear nothing
- “Support staff” in the chat direct users to download an “SDK Update” or “Sound Fixer”
- This download delivers the malware payload
The psychological manipulation is effective because audio issues are common and the “fix” seems reasonable.
Technical Compromise
Once executed, the RAT achieves:
- System persistence — Survives reboots and maintains access
- Credential harvesting — Captures passwords and cryptocurrency seed phrases
- Clipboard interception — Monitors for wallet addresses to redirect transactions
- Screen capture — Records sensitive information displayed on screen
- Keylogging — Captures all keystrokes including authentication codes
Indicators of Compromise
Watch for these suspicious domains impersonating legitimate video services:
- zoom-download[.]id
- zoom-meeting[.]top
- zoomov-incoming-call[.]pages[.]dev
- Any non-official domain claiming to be a video platform
Five Warning Signs
- Proprietary platforms — Requests to use custom tools instead of industry standards like Zoom, Google Meet, or Microsoft Teams
- Required downloads — Legitimate browser-based video calls don’t require software installation
- Suspicious domains — URLs that mimic but don’t match official service domains
- Artificial urgency — Pressure to quickly resolve “technical problems”
- Unsolicited outreach — Initial contact through secondary messaging platforms like Telegram or Discord
Protection Measures
Defend against these attacks by:
- Verifying identities — Confirm meeting requests through official channels
- Using established platforms — Refuse to download custom video software
- Checking domains carefully — Hover over links before clicking
- Maintaining skepticism — Question unexpected meeting requests, especially from unknown contacts
- Separating environments — Use dedicated devices for high-value cryptocurrency operations
Organizational Response
Organizations should train employees to recognize these tactics and establish verification procedures for external meeting requests. Security awareness is the first line of defense against social engineering.
PhishFort helps organizations protect against phishing and social engineering campaigns. Contact us to learn how we can help secure your team.
