BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskThreat IntelligenceNewsBlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack LuresThe North Korean group is using stolen victim videos, AI-generated avatars, and fake Zoom calls to scale malware attacks against cryptocurrency executives.Jai Vijayan,Contributing WriterApril 28, 20264 Min ReadSource: Smile Studio AP via ShutterstockNorth Korea's BlueNoroff state-sponsored hacking group is targeting cryptocurrency executives in an audacious, financially motivated campaign that uses fake Zoom meetings populated with AI-generated avatars and stolen video footage of real people to trick victims into installing malware on their systems.What makes the campaign particularly insidious, according to a new report from Arctic Wolf, is how the threat actor steals webcam footage from each victim and then uses those videos to populate even more convincing fake Zoom meetings to target new victims. Insidious CampaignArctic Wolf found stolen images and videos of at least 100 individuals — nearly half of them CEOs or co-founders of their organizations — that the threat actor appears to have used as bait in the campaign. Eight out of 10 of the identified victims operated either in the cryptocurrency/blockchain and associated finance sectors. "This concentration underscores BlueNoroff's singular operational focus: individuals with access to cryptocurrency assets, wallet infrastructure, exchange platforms, or investment decision-making authority," Arctic Labs said in a report this week.Related:ShinyHunters Claims Second Attack Against InstructureOne incident that Arctic Wolf investigated involved a senior executive at a US-based Web3 cryptocurrency company. The attack chain began with a BlueNoroff actor posing as the head of legal at an international consulting and law firm in the fintech and crypto sector, sending a Calendly invite to the target. The purported "catch-up" meeting was scheduled late last summer for five months in the future (January 2026). When the victim confirmed the meeting, a Google Meet calendar invite was generated, which the threat actor then covertly modified and replaced with a typo-squatted Zoom URL.“From the target's perspective, the attack begins as a legitimate business interaction, often through a compromised Telegram account, Calendly invite, or calendar workflow impersonating a trusted contact such as a legal executive, VC partner, or industry peer," says Ismael Valenzuela, VP of labs, threat research and intelligence at Arctic Wolf. "The pretext is a routine meeting."When the victim in Arctic Wolf's investigation clicked the link this past January, they were directed to a HTML page that convincingly mimicked a Zoom conference lobby, complete with fabricated participant avatars and pre-recorded clips mimicking a live meeting. When the victim granted microphone and camera access to join the fake meeting, the threat actor covertly began siphoning the webcam feed in real time, for use in future attacks.Related:Instructure Breach Exposes Schools' Vendor Dependence"[The victim sees] a realistic meeting interface populated with recognizable participants, which may include stolen webcam footage from prior victims, scraped images, or AI-generated headshots tailored to their network," Valenzuela says. "The meeting appears active, with moving participant tiles and shifting speaker indicators, but there is no real conversation, and audio often appears not to function," Valenzuela explains. From Initial Click to Total Compromise in MinutesSeconds into the "meeting," and seemingly to fix the errant audio issue, the victim received a ClickFix prompt about their Zoom SDK needing an update. When the victim acted on the prompt instructions it triggered a sequence of actions in the background that ended with multiple malicious payloads being installed on their systems, including those for persistence, command-and-control, credential harvesting, stealing from crypto currency wallets, and Telegram session theft. Arctic Wolf found the entire post-exploitation sequence, from initial click to full system compromise, including credential theft and persistent access, happening in less than five minutes. In the incident that the security vendor investigated, BlueNoroff maintained persistence on the victim environment for 66 days.Related:Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FAOne of the most alarming aspects of the campaign is how the attackers have established a "self-reinforcing deepfake production pipeline" that combined exfiltrated webcam footage from prior victims with AI-generated images to produce new fake meeting content, according to Arctic Wolf. The vendor analyzed more than 950 files from the attacker's media hosting server, which showed the threat actor using three types of fake meeting participants in its campaign: stolen footage of prior victims, AI-generated still images, and deepfake composite videos that combined AI-generated faces with actual human body motion."The attacker's infrastructure is extensive and operationally active," Arctic Wolf added. For example, BlueNoroff had more than 80 typo-squatted Zoom and Teams domains registered with just one hosting provider, with new ones being added on a continuous basis. "The volume of distinct payload delivery URLs observed on VirusTotal confirms this is not an isolated operation, but a sustained campaign targeting multiple organizations simultaneously," the security vendor said.For organizations, the most important takeaway is that this is a coordinated social engineering campaign designed to scale through compromised identities, Valenzuela says. "Employees should verify meeting requests through a secondary channel, inspect calendar links for manipulation and avoid executing commands during a call," he advises. "Security teams should restrict webcam and microphone access to trusted domains and monitor for clipboard abuse, PowerShell activity, and unauthorized access to browser-stored credentials."About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

BlueNoroff, a North Korean state-sponsored hacking group, is employing a sophisticated and insidious tactic to expand its malware attacks against cryptocurrency executives. According to a report by Arctic Wolf, the group leverages stolen video footage from victims, combined with AI-generated avatars, to create incredibly realistic and deceptive Zoom meetings. This strategy, detailed by contributing writer Jai Vijayan, centers around a “self-reinforcing deepfake production pipeline,” where stolen webcam data is supplemented with AI-generated images to construct convincingly populated meeting environments. The group’s operational focus is on individuals with access to cryptocurrency assets, mirroring a targeted approach.

The campaign’s effectiveness stems from the attacker’s ability to mimic legitimate business interactions, often originating from compromised Telegram accounts or Calendly invites. Victims, such as a senior executive at a US-based Web3 cryptocurrency company, are presented with a realistic Zoom lobby populated with familiar faces—which may include stolen footage, scraped images, or AI-generated headshots. The attacker creates the illusion of an active meeting with moving participant tiles and shifting speaker indicators, even if actual conversation is absent.

A key element of the attack chain involves a ClickFix prompt, deliberately triggered to install malicious payloads onto the victim’s system. This sequence, completed in under five minutes, results in credential harvesting, cryptocurrency wallet theft, and persistent access to the compromised environment. Arctic Wolf found BlueNoroff maintaining persistence for 66 days in one instance.

The threat actor’s infrastructure is extensive, utilizing numerous typo-squatted Zoom and Teams domains registered with a single hosting provider to ensure continuous operation. This rapid deployment of domains, confirmed by VirusTotal, highlights the scale and sophistication of the BlueNoroff campaign.

Valenzuela, VP of labs, threat research and intelligence at Arctic Wolf, emphasizes that this is a coordinated social engineering effort designed to scale through compromised identities. He advises employees to verify meeting requests through secondary channels, scrutinize calendar links for manipulation, and avoid executing commands during calls. Security teams are urged to restrict webcam and microphone access, monitor clipboard abuse, and analyze PowerShell activity to mitigate this evolving threat landscape.

The Arctic Wolf report underscores the immediate danger of trusting virtual meetings, especially those with unfamiliar participants or seemingly technical issues. The sophistication of the BlueNoroff technique—leveraging deepfakes and automated scaling—represents a concerning trend in cybercrime, demanding heightened vigilance and robust security protocols amongst organizations and individuals handling cryptocurrency assets.