BlueNoroff Deepfake Zoom Attack: 100 Crypto Executives Compromised in 5 Minutes

The BlueNoroff deepfake Zoom attack executes a four-stage kill chain that completes full system compromise in under five minutes from initial click, using no traditional exploit and no user-installed software.

Stage one begins with a Calendly invite. A BlueNoroff operator posing as a fintech legal professional sends an invite to a target executive, scheduling a meeting months in the future to avoid suspicion. When the victim confirms, the attacker swaps the generated Google Meet link for a typo-squatted Zoom URL, such as uu03webzoom[.]us, hosted on infrastructure controlled via AS400897 (Petrosky Cloud LLC). The victim's browser loads a self-contained HTML page that renders a convincing fake Zoom meeting interface. As the page loads, the getUserMedia API silently captures the victim's webcam feed and exfiltrates it via HTTP POST to attacker infrastructure, where it is stored for use in future fake meetings targeting the victim's professional contacts.

Stage two delivers the payload via ClickFix. Eight seconds into the fake meeting, an overlay appears claiming the user's Zoom SDK is outdated and requires an update. The page silently replaces the clipboard contents with an obfuscated PowerShell command encoded in Base64 plus XOR key 0x43. The victim copies what looks like a diagnostic command and pastes it into the Windows Run dialog or terminal, triggering the download of a Stage 3 PowerShell payload to %TEMP%\chromechip.log.

Stage three establishes persistent C2. The PowerShell implant beacons to 83[.]136[.]208[.]246 on port 6783 every five seconds, sending a JSON profile of the compromised host including hostname, OS version, process list, and admin status. The malware performs VM detection by checking for virtualization process names before proceeding.

Stage four deploys six post-exploitation modules — browser credential stealer, Telegram session hijacker, screenshot capture, software inventory collector, UAC bypass DLL, and persistent startup LNK — within approximately two minutes of initial compromise.

The defining characteristic of the BlueNoroff fake Zoom attack is not the malware — it is the self-sustaining deepfake production pipeline that makes each attack more convincing than the last.

Arctic Wolf's analysis of the attacker's media hosting server recovered more than 950 files organized into eight directories. The operator, identified by the username 'king' embedded in Adobe Premiere Pro project metadata, runs a four-stage production workflow on a macOS host (Apple MacBookPro18,1) with a Windows 10 VMware virtual machine used for video capture.

Stage one generates AI portrait images. BlueNoroff uses ChatGPT's GPT-4o model to generate 1024x1024 PNG headshots of fictional meeting participants. Arctic Wolf confirmed eight AI-generated images on the server, with C2PA cryptographic manifests directly attributing them to OpenAI's infrastructure.

Stage two captures source video. The operator records themselves performing natural video call movements inside the Windows VM using Xbox Game DVR, then layers AI-generated faces over this footage using Adobe Premiere Pro 2021. Real victim webcam footage exfiltrated from prior compromises is also incorporated directly — 140 scraped videos and 185 webcam captures were recovered from the server.

The result is a three-type participant library: AI-generated still images, deepfake composite videos, and real stolen footage of actual identified individuals from prior attacks. At least 100 real people's images and videos were found on the server; nearly half are CEOs or co-founders. One publicly disclosed victim confirmed their Telegram account was subsequently used to send Calendly invites to their professional contacts, demonstrating the self-reinforcing cycle.

Peak campaign activity reached 121 events in March 2026, with operator activity consistently concentrated between 08:00 and 18:00 Korean Standard Time, Monday through Friday, consistent with a state-sponsored workforce on a regular schedule.

BlueNoroff's targeting in this campaign is deliberate, narrow, and focused on individuals with the highest-value access: direct control over cryptocurrency wallets, investment authority, and private keys.

Of the 100 confirmed victims identified from the attacker's media server, 54% work in cryptocurrency or blockchain finance, and 26% work in traditional finance and venture capital. A further 8% are in AI or technology, and 5% in fintech — giving a combined 93% in financially adjacent roles with either direct crypto holdings or decision-making authority over significant digital asset portfolios.

The seniority concentration is the most alarming data point. 45% of targets are CEOs or co-founders. A further 21% hold senior leadership titles, 10% are in the C-suite (COO, CFO, CSO), and 7% are investors or partners. Only 9% are individual contributors. BlueNoroff is not phishing the helpdesk — it is targeting the people with wallet authority and the institutional trust to authorize large transactions.

Geographically, 41% of confirmed targets are in the United States, 24% in East Asia (Singapore, Hong Kong, South Korea), and 21% in Europe. The geographic spread reflects the global distribution of institutional crypto capital and Web3 venture activity, not a regionally confined operation.

This targeting profile has direct implications for how organizations should prioritize defensive resources. Standard employee phishing training aimed at the general workforce is insufficient when the actual attack surface is the executive layer. Crypto-native organizations should assume their founders and C-suite have already been added to BlueNoroff's targeting list if they have any public LinkedIn or conference presence in the Web3 space.

**BlueNoroff** (also tracked as APT38, Sapphire Sleet, and TA444) is a North Korean state-sponsored subgroup of Lazarus Group, the DPRK's primary cyber operations unit under the Reconnaissance General Bureau. The group has specialized in financial cybercrime since at least 2014, including the $81 million Bangladesh Bank SWIFT heist in 2016.

The fake Zoom campaign maps to a comprehensive set of MITRE ATT&CK techniques, with several high-confidence signatures that defenders can use for threat hunting.

Initial access uses T1566.002 (Spearphishing Link) via typo-squatted Zoom domains delivered through Calendly and calendar invite modification. Execution relies on T1059.001 (PowerShell) via ClickFix clipboard injection, using T1027 (Obfuscated Files and Information) with Base64 plus XOR 0x43 encoding across all payload stages.

Persistence is established via T1547.001 (Boot or Logon Autostart Execution: Registry Run Key), specifically a startup LNK named 'Chrome Update – Certificated.lnk' in the Windows Startup folder. Privilege escalation uses T1548.002 (Abuse Elevation Control Mechanism: Bypass UAC) via a COM elevation moniker targeting the IElevator interface.

Credential access is the campaign's primary objective. T1555.003 (Credentials from Password Managers: Browser Credentials) is executed by injecting a PE binary into chrome.exe, msedge.exe, and brave.exe processes, extracting the AES-256-GCM encrypted master key via the COM IElevator interface and decrypting saved login credentials. T1115 (Clipboard Data) captures the ClickFix payload substitution.

Command and control uses T1071.001 (Application Layer Protocol: HTTP/HTTPS) via HTTP POST to /api/daemon and /api/result endpoints, plus T1571 (Non-Standard Port) on ports 6783, 7365, and 8444. A secondary C2 channel via the Telegram Bot API (T1071) provides redundancy and screenshot exfiltration.

This technique combination — ClickFix delivery plus fileless PowerShell plus in-memory browser injection — is specifically designed to evade signature-based endpoint protection. The [ClickFix technique was also used in the Storm-1865 Booking.com campaign](/blog/booking-com-storm-1865-clickfix-reservation-breach), demonstrating that multiple nation-state actors have now adopted this initial access method. Organizations relying solely on antivirus without behavioral EDR telemetry will not detect this attack chain.

The following IOCs are confirmed active as of April 29, 2026. Block all C2 IPs at the network perimeter and all domains at the DNS layer. Hunt for file hashes and persistence artifacts on all endpoints in your environment, prioritizing executive workstations and devices in the cryptocurrency or finance sectors.

Detecting the BlueNoroff deepfake Zoom attack requires behavioral EDR telemetry — signature-based antivirus will not fire because all malicious execution happens in memory, with legitimate file extensions (.log) used to mask payloads.

The highest-confidence single detection signal is a child process spawned from powershell.exe with -WindowStyle Hidden arguments, particularly when csc.exe (C# compiler) is invoked via Add-Type. BlueNoroff compiles browser injection helpers at runtime using Add-Type, which is unusual behavior in a production environment and rarely legitimate in user sessions.

For browser credential theft, hunt for non-browser processes opening Chrome's Login Data or Local State SQLite databases. Legitimate applications do not read these files. Any process other than chrome.exe, msedge.exe, or brave.exe reading %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data should trigger an immediate alert. Similarly, flag non-browser processes calling BCryptSetProperty with 'ChainingModeGCM' or BCryptDecrypt — the AES-256-GCM decryption path used to access the Chrome app-bound encryption key.

Persistence artifacts are highly specific: alert on any LNK file created in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ with names containing 'Chrome Update' or 'Certificated'. Monitor for creation of .log files in %TEMP% with naming patterns matching chromechip.log, and for %USERPROFILE%\chrome-debug-data001.log.

Network-based detection should alert on outbound HTTP POST connections to port 6783 (non-standard), connections to check02id[.]com or thriddata[.]com, and any requests to the Telegram Bot API from non-user-initiated contexts. The Telegram bot token 8446140951:AAExeAepUZQAegP0A9IQbp__JB4xDaq4ohc is a high-confidence attribution indicator if seen in network logs.

For web proxy and DNS, alert on resolution of any subdomain matching the pattern [2 chars][2 digits]web[meeting-brand][.][us|com|org] — BlueNoroff's typo-squatting domain naming convention. This pattern matches uu03webzoom[.]us, zoom[.]ue01web[.]us, and similar variants without requiring an explicit block list.

North Korean cyber operations, including related [North Korea supply chain attacks targeting developer tooling](/blog/north-korea-supply-chain-1700-packages), consistently leverage the same hosting infrastructure. Threat hunting across all Petrosky Cloud LLC (AS400897) IP ranges may surface additional BlueNoroff infrastructure.

The BlueNoroff deepfake Zoom attack has no patch because it exploits human behavior and in-memory execution rather than a patched software vulnerability. Defense requires a combination of technical controls, policy changes, and targeted awareness training for the specific executive population that BlueNoroff is actively hunting.

The BlueNoroff deepfake Zoom attack represents a fundamental shift in nation-state social engineering: AI-generated participants make video call verification unreliable, fileless execution defeats signature-based AV, and each new victim feeds a self-sustaining lure pipeline targeting their own professional network. Three actions matter most right now: block the confirmed C2 IPs and typo-squatted domains at your perimeter, enable PowerShell Script Block Logging on all executive endpoints, and train your C-suite that terminal command prompts during video calls are always malicious. Run the persistence hunt against executive workstations before end of business today.