BlueNoroff Fake Zoom Malware: IOCs, Attack Chain, and Defenses for Crypto Teams

BlueNoroff, the North Korean state-sponsored sub-group within the Lazarus Group, is running an active campaign against cryptocurrency and Web3 firms using AI-generated deepfakes in fake Zoom calls to deliver macOS malware. Researchers tracking the operations — named GhostCall and GhostHire — confirmed a North American Web3 company was fully compromised in January 2026, with attackers maintaining persistent, fileless access for 66 days. CEOs and founders account for 45% of identified targets across more than 20 countries; the United States represents 41% of all victims.

What Is BlueNoroff?

BlueNoroff is a financially motivated sub-cluster within North Korea’s Lazarus Group, also tracked as Alluring Pisces, APT38, Nickel Gladstone, Stardust Chollima, and TA444. Unlike other Lazarus units focused primarily on espionage, BlueNoroff’s mandate is revenue generation for the DPRK — specifically large-scale theft from cryptocurrency exchanges, DeFi protocols, and Web3 companies. The group has stolen hundreds of millions of dollars in cryptocurrency since at least 2018 and maintains consistent operational tempo, launching new campaigns each quarter.

The fake Zoom campaign builds on BlueNoroff’s established playbook of social engineering via LinkedIn, fake job offers, and conference invitations. The addition of AI-generated deepfake video participants represents a material escalation: victims can no longer rely on visual cues to identify a fraudulent meeting.

How the Attack Chain Works

The attack begins before any call takes place. Operator metadata recovered from the campaign infrastructure reveals a macOS user with the username “king” working standard DPRK business hours — 08:00 to 18:00 Korean Standard Time, weekdays only. The operator identifies a high-value target within a crypto organization, typically a CEO, founder, or individual with direct access to wallets or private keys.

Step 1: The Calendly Lure

The target receives a Calendly invitation to a “strategy call” or “investment discussion.” The link appears to point to a Google Meet event, but when clicked the URL silently redirects to a fake Zoom domain registered and controlled by BlueNoroff. Researchers have identified over 80 typosquatted Zoom and Microsoft Teams domains registered between late 2025 and March 2026, all hosted on Petrosky Cloud LLC (AS400897):

zoom-us[.]usweb08[.]us
us05web[.]zoom-meet[.]net
teams-live[.]ms-teams-call[.]com

At least one domain was registered with the email daniel.castagnolii@gmail[.]com on April 14, 2025. New domains are added continuously, and legitimate-looking subdomains are rotated to avoid blocklists.

Step 2: The Deepfake Meeting

The victim enters what appears to be a normal Zoom call with multiple attendees already present. Every other participant is synthetic. Researchers recovered and analyzed over 950 files from the operator’s media hosting server and identified three categories of fake participants:

• AI-generated still images created with ChatGPT’s GPT-4o model, using real names and headshots scraped from Web3 LinkedIn profiles and company pages
• Semi-animated composites assembled in Adobe Premiere Pro 2021, giving the stills subtle motion to pass a brief visual check
• Deepfake video created by layering AI-generated imagery over recycled webcam footage from previous victims

The third category is the most operationally significant. Each new victim’s webcam feed is harvested and fed directly back into BlueNoroff’s deepfake production pipeline, improving the realism of future attacks. The group has built a self-reinforcing system in which compromising one target increases the credibility of the next campaign.

Step 3: Malware Delivery via ClickFix

During the call, participants are told there is an audio problem or that an SDK update is required. A prompt appears in the fake Zoom interface asking the user to click “Update Now.” This triggers a clipboard hijack: malicious JavaScript embedded in the fake page silently replaces the clipboard contents with a PowerShell or shell command. The victim is directed to paste this into a terminal — a variant of the ClickFix social engineering technique.

# Example of clipboard-injected command pattern (sanitised)
powershell -w hidden -enc <base64-encoded-dropper>

The command downloads and executes a first-stage payload. Subsequent prompts ask for the macOS system password, framing the request as part of completing the SDK installation. This grants the implant administrator-level access. The full attack chain — from initial click to complete system compromise including credential theft and persistent access — completes in under five minutes.

GhostCall and GhostHire: Malware Components

Kaspersky’s Securelist researchers attributed the campaign to two related BlueNoroff clusters and recovered eight distinct binaries across analyzed infections:

CryptoBot is the highest-impact component. Written in Go, it targets wallets across more than 20 platforms, extracts private keys and seed phrases, and stores the data in a locally encrypted cache before exfiltration. XScreen captures keystrokes in parallel, ensuring credentials typed after the initial compromise are also collected.

The PowerShell-based C2 implant operates entirely in memory — no binaries are written to disk — which makes file-based scanning and hash-matching ineffective. Screenshots are exfiltrated via the Telegram Bot API. An AES-encrypted browser injection payload captures credentials directly from live browser sessions, including the macOS iCloud Keychain.

Indicators of Compromise

Hosting infrastructure

All confirmed fake conference domains share two fingerprints:

• Hosted on AS400897 (Petrosky Cloud LLC)
• Registered with privacy shields via value-hosting registrars; at minimum one domain linked to daniel.castagnolii@gmail[.]com

Blocking outbound connections to AS400897 at the firewall or DNS layer will intercept a significant portion of this infrastructure. BlueNoroff has shown the capability to shift hosting, but this ASN has been consistently associated with the campaign since late 2025.

Domain typosquat patterns

zoom-us[.]*[.]us
us*web[.]zoom-*[.]net
*-live[.]ms-teams-*[.]com
zoom[.]us-*[.]co

Behavioral IOCs — macOS endpoint

• osascript execution prompting for administrator password during or immediately after a video call
• Outbound connections to api.telegram.org from browser or conferencing application processes
• PowerShell (pwsh) or bash spawned as child processes of a browser or video conferencing app
• Unsigned, unnotarized Go or Nim binaries appearing in /tmp/ or ~/Library/Application Support/
• Clipboard modification events during active video calls (monitor pbcopy/pbpaste API calls via endpoint tooling)

Network IOCs

api.telegram.org        # screenshot exfiltration channel
AS400897                # Petrosky Cloud LLC — confirmed BlueNoroff hosting bloc

Defensive Measures for Crypto Organizations

1. Establish an out-of-band confirmation channel for all externally arranged calls. Before joining, send a separate message to the meeting requestor via a previously verified contact method — company Slack, a prior email thread, or a known phone number. Legitimate investors and partners will not object.

2. Treat any meeting that asks you to paste a command into a terminal as an active attack. No legitimate video conferencing application requests terminal access to fix audio. No exception.

3. Block Petrosky Cloud LLC (AS400897) at the perimeter. This ASN is not used by legitimate conferencing infrastructure. Add it to egress blocklists and DNS sinkholes.

4. Monitor clipboard access during video calls. On macOS, endpoint tools such as Jamf Protect or CrowdStrike Falcon can alert on unexpected clipboard modification events tied to browser or conferencing processes.

5. Verify meeting link destinations before clicking. Confirm that any Zoom link in a Calendly or calendar invite resolves directly to *.zoom.us — not through an intermediate redirect. Hover before clicking.

6. Apply this vetting checklist to all inbound investment and partnership meeting requests:

[ ] Requestor is reachable via an independently verified email domain
[ ] Meeting link resolves directly to zoom.us or google.com (no redirects)
[ ] LinkedIn profile is older than 12 months with consistent employment history
[ ] Company verified on Crunchbase, PitchBook, or a known accelerator registry
[ ] Invitation email domain matches the company's registered domain exactly
[ ] No requests to run terminal commands, install software, or grant permissions during the call

1. Hunt for GhostCall/GhostHire indicators on macOS endpoints. Search for unsigned Go and Nim binaries in ~/Library, /tmp, and user-level launch agents in ~/Library/LaunchAgents/. Legitimate, notarized applications do not install unsigned binaries in these locations on macOS Ventura and later. Query for the following:

# Find unsigned binaries in common drop locations
find ~/Library /tmp -type f -exec codesign -v {} \; 2>&1 | grep "not signed"

# Check for suspicious LaunchAgents
ls -la ~/Library/LaunchAgents/
cat ~/Library/LaunchAgents/*.plist 2>/dev/null

Conclusion

BlueNoroff’s fake Zoom campaign is not an opportunistic phishing attempt — it is a production-grade deception infrastructure with confirmed intrusions across more than 20 countries and a self-reinforcing deepfake pipeline that improves with each victim. The fileless, sub-five-minute attack chain leaves little window for detection at execution time. Crypto and Web3 organizations should implement out-of-band call verification and egress blocks on AS400897 immediately, before a meeting request arrives.

See our guide on how threat actors structure their evasion operations → Threat Actors Publishing Structured OPSEC Playbooks to Systematically Evade Detection