The data exfiltration:

Keychain creds, browser data, Telegram chats, then push over WebSockets - encrypted channel, tricky for network sensors that ignore non-HTTP(S) traffic

Nasty little persistence trick - malware revives itself when killed.
It intercepts `SIGINT` / `SIGTERM`, then rewrites LaunchAgents on shutdown.

"any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions."

Stage-2 drops two binaries in /private/var/tmp

• `a` (C++) - kicks off data-stealing chain
• `installer` (Nim) - sets up persistence via signal handlers so killing the process re-installs the backdoor on reboot.

That script (`zoom_sdk_support.scpt`) hides *10,000 blank lines* scroll forever, never see the payload.

The last 3 lines fetch stage-2 from `support.us05web-zoom[.]forum` (notice the look-alike Zoom domain)

The attacker pretends to be a trusted contact → DM on Telegram → Calendly invite → follow-up email with a Zoom link that tells victims to “run this update script.”

It's been hyper successful and catching founders/devs off-guard

One of the wilder revelations in this report for me: They're hiring facilitators that are managing the scheme in the US.

They also:
- Create a bank account for the North Korean, or lend their own account to the worker
- Purchase mobile phone numbers or SIM cards