BlueNoroff Campaign Uses Fileless PowerShell & AI-Generated Zoom

North Korea’s Lazarus Group has launched a dangerous new cyber campaign, as detailed in a

The attack begins with a spear-phishing email. The threat actor pretends to be a legal professional in the Fintech space and sends a Calendly invite to the target.

Once the victim confirms the meeting, the attacker quietly replaces the Google Meet link with a typo-squatted Zoom URL designed to look nearly identical to a real one.

When the victim clicks the fake link, their browser loads a self-contained HTML page that looks exactly like the Zoom meeting interface, complete with fake participant video tiles, looping footage, and a cycling active speaker indicator.

Arctic Wolf analysts identified this targeted intrusion against a North American Web3 and cryptocurrency company, attributing it with high confidence to BlueNoroff, also tracked as APT38, Sapphire Sleet, and Stardust Chollima.

Researchers found that the full attack chain, from the initial click to complete system compromise, finished in under five minutes.

Forensic analysis confirmed the attacker maintained persistent access on the victim’s device for 66 days, stealing browser credentials, Telegram session data, and live webcam footage that was then reused to build more convincing lures for future targets.

What makes this campaign especially damaging is its self-reinforcing deepfake production pipeline. Analysts uncovered more than 950 files on the attacker’s hosting server, including AI-generated headshot images confirmed via C2PA cryptographic metadata as outputs of OpenAI’s GPT-4o model, real webcam footage stolen from prior victims, and deepfake composite videos.

Each successful attack feeds raw material into the next, making future meetings more convincing. CEOs and founders account for 45% of all identified targets, reflecting BlueNoroff’s focus on individuals with direct access to cryptocurrency assets and wallet infrastructure.

The ClickFix Payload Delivery

Once the victim enters the fake Zoom meeting, a persistent overlay appears claiming the user’s SDK is outdated and needs an update.

This is a ClickFix-style clipboard injection attack. The victim sees what look like harmless diagnostic commands and is told to copy and paste them into the Windows Run dialog or terminal.

What they do not realize is that the page silently replaces the clipboard content with a hidden PowerShell execution command the moment they copy it.

The injected PowerShell command downloads an obfuscated second-stage script from the attacker’s command-and-control server and saves it to the user’s Temp folder as a file named chromechip.log.

That file runs in a hidden window, installing a persistent C2 beacon that operates entirely in memory and contacts the attacker every five seconds.

The implant collects hostname, OS version, running processes, admin privileges, and timezone data, packaging everything into a structured JSON beacon sent to a remote server.

Organizations in Web3, cryptocurrency, and financial services should verify all meeting links through a secondary communication method before joining any call.

Legitimate platforms never ask users to run terminal commands to fix audio or camera issues.

Security teams should block identified C2 addresses, remove the Startup shortcut called Chrome Update Certificated.lnk, and delete chromechip.log and chrome-debug-data001.log from affected devices.

All browser-stored passwords, API keys, and cryptocurrency wallet credentials must be rotated immediately.

PowerShell Script Block Logging should be enabled on all endpoints to support early detection of obfuscated payload execution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.