CyberWire Daily - You've been muted...permanently. [Research Saturday]
Episode Date: June 6, 2026Ismael Valenzuela, Arctic Wolf’s VP of Labs, Threat Research and Intelligence, discusses their work on "BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target W...eb3 Sector." Arctic Wolf researchers uncovered a sophisticated campaign by North Korean threat group Lazarus Group subgroup BlueNoroff that targets cryptocurrency and Web3 executives through fake Zoom and Microsoft Teams meetings, using typo-squatted links, ClickFix-style attacks, and AI-generated deepfakes to steal credentials and cryptocurrency-related data. The attackers built a self-reinforcing operation that captures victims’ webcam footage and Telegram sessions, then repurposes those assets alongside AI-generated images to create increasingly convincing fake meeting participants for future attacks. Researchers identified more than 100 victims across 20 countries, with the campaign primarily targeting CEOs, founders, investors, and senior leaders in the cryptocurrency, blockchain, and financial sectors as part of a long-running effort to steal digital assets and gain access to high-value networks. The research and executive brief can be found here: BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Vermazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus, Space Space.
Cyber Reefing, new episodes every Sunday.
Maybe that's an urgent message from your CEO, or maybe it's a deep fake trying to target
your business.
Dopple is the AI-native social engineering defense platform fighting back against impersonation
and manipulation.
As attackers use AI to make their tactics more sophisticated, Dopple uses it to fight back,
from automatically dismantling cross-channel attacks to building team resilience and more.
Doppel, outpacing what's next in social engineering.
Learn more at doppel.com.
That's D-O-P-P-E-L.com.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
This began with what appeared to be a legitimate business meeting invitation.
The victim received a Callan Lee invite that eventually directed them to a type of squatted Zoom domain,
hosting a fully simulated fake meeting environment,
which is like one of the most interesting pieces about this research.
That's Ismail Valenzuela, VP of Labs, threat research and intelligence at Arctic Wolf.
The research we're discussing today is titled
Blue Noroff uses ClickFix, Fileless PowerShell, and AI-generated fake Zoom meetings to target the Web3 sector.
Yeah, once the victim joined the meeting, the attackers then used some more like traditional social engineering to get the victim to install what looked like an update for Zoom, right?
A Zoom SDK update.
But in reality, that was the multi-stage infection chain, including PowerShell, browser credential theft,
telegram session theft, persistence, and even collecting screenshots.
Well, before we dig into a lot of the details here and the specifics,
you have said with a fairly high degree of confidence that Blue Noroff is who you're attributing this to.
What do we know about that group?
Yeah, so this is a group that is associated to North Korea or DPRK, Democratic People's Republic,
of Korea.
And this is essentially the same playbook that they have been using for quite some time,
where the primary objective of their activities is essentially financial theft.
And the fact that they're targeting cryptocurrency executives, exchange operators,
blockchain, wallet developers, this is very consistent with the playbook for this group,
Blenorov.
And essentially, what they want to do is to generate revenue to keep supporting
the country's interests.
Well, let's walk through this step by step.
I mean, you mentioned that this begins with a calendly invite.
Can you take us through the details of what the victim experiences here?
Yes, so the victim receives this invite.
And instead of like going to the domain that they think that they're going,
they use a type of squatted Zoom domain.
This is, I like to call it like a cussing domain or a looker.
the like domain.
They may look like legitimate,
like something related to the data they work,
but they're essentially going to a domain
that is controlled by the attackers.
When they go to this Zoom call,
what they get is into like a fake meeting,
which is very, very interesting
because this meeting has content
that is specifically tailored to the victim.
So the attacker, that shows that the attacker has been able to conduct detail investigative work prior to set up every meeting, which is very, very interesting.
At least one of the 100 targets that we identified beyond the primary victim that we investigated in this case has publicly disclosed LinkedIn that their identity was used by the threat actor to approach all the targets, showing that there is kind of,
of a pipeline to lure more people into this attack, as we document in the report.
And when the victim would join the call, they would see videos, they would see personas
that are related to their day-to-day jobs.
So if they were in the crypto world, they would see relevant people from the crypto world.
Some of this content would be scraped out of YouTube, webinars, and other public
resources, some of this content would be stolen from the footage recorded from previous victims
that would be incorporated into their library. At the time of this recording, I can tell you there's
more than a thousand videos in this library. Help me understand, I mean, this part of it,
because it seems like a tremendous amount of effort that goes into this particular campaign here.
Were they using AI generated images?
Were they cleverly using the stolen webcam footage?
Are they looping things in the background?
What are they doing?
Well, we found is that they use a combination of different things,
scraping public videos out there from YouTube or webinars
and also deep fakes that they have generated,
along with actual footage recorded from victims that got infected
and then they would join this call
and you could see how their faces look like a little bit like confused.
They're clicking on links.
They're like trying to find out what's going on
and this is directly stolen out of their computers.
As we explained in the report,
they would use a specific API to enable the recording
of the webcam and the microphone
to gather this information from the victims.
Yeah, it's interesting.
I mean, how many of us join a Zoom meeting
and that's exactly the first thing you're used to seeing
are people just getting settled in
and trying to make sure everything's working?
So it all seems normal at first, I suppose.
Yeah, absolutely, absolutely.
And we have evidence that the capture footage
enters kind of like a production pipeline
as professionals would do.
the attacker actually processed the video through Adobe Premiere Pro.
And it's worth mentioning that at least one image was edited with Microsoft Paint.
So I guess, you know, maybe they run out of budget.
I don't know.
Go at old school.
Right.
Right, right.
So let's continue down the pathway here.
I mean, I'm a victim and I've helped.
I've entered this Zoom meeting, even though it's not a real Zoom meeting.
What happens next?
Yes.
So what happened next is that the victim would receive some communications that,
oh, you know, maybe something is not right.
We cannot hear you or we cannot see you well.
They would continue the social engineering by trying to convince the victim to install an update, right, for Zoom.
And I'm saying Zoom here, but I have to say since the publication of our report,
we've seen the attacker moving away from Zoom and using Microsoft.
Microsoft Teams, teams themed lures towards other organizations, including outside of crypto, now enterprise software, business services.
But that's kind of the idea, right? Once they convince you that you are among peers or, you know, joining a webinar, a call with people that have a share same interests, they would ask you to execute something on your machine.
that's where the power shield comes in or, you know, binary.
In some cases, this is not that different from the fake capture and other social engineering attacks
that we see on a regular basis where they convince you to just copy and paste some commands
on your machine that are going to install the malicious implant.
We'll be right back.
And your research points out that once they go down this path, it is minutes before they've
have the system fully compromised?
That is correct.
Once the machine is fully compromised,
it could be like less than five minutes.
The attacker is still in the telegram sessions,
the browser credentials,
the webcam footage,
the audio from the microphone,
and then they use these compromise accounts,
this identities to approach other victims.
So now that means that, you know,
these messages come into you through telegram,
or these invitations may come from people that you trust.
Now, I'm on this Zoom call and they've convinced me to run this software.
They've installed the malware.
Are they keeping me on the line?
Or are they, am I being discarded and they move on to the next person?
Well, I mean, based on the information that we have, we haven't, like, joined it like this calls necessarily.
We have seen, like, all the analysis that comes out of the investigation.
but according to the videos that we have seen
the victim may have been connected for some time
but then I mean enough time for the attacker
to be able to convince you to do something
to install something on your computer
once they have the information
there's no need to keep you
keep you there for any longer
so you know if if they call disconnects
it's like okay something didn't work what is going on
but it doesn't really matter at that point those
those identities have been stolen.
And as I said before,
we have seen some victims in social media,
LinkedIn X,
mentioning that, hey, my identity has been stolen
and it has been used to approach other people
in my network.
How did Arctic Wolf pivot from this initial intrusion
that you investigated to identifying 100 additional targets?
Well, so part of that is based on our amazing threat research team.
I have to say that we track threat actors.
We have been doing this for a long time.
And also based on our telemetry, the ability to pivot from endpoint data,
which was the very first indication or signal that we got here,
to the ability to pivot to other infrastructure,
to people to network telemetry, cloud telemetry,
from over 10,000, over 10,000 customers and a lot of the open source intelligence that we gather out there too.
Was there anything that stood out about the victims themselves in terms of who they were going after?
Are there particular parts of the world or particular industries that they seem to be targeting?
Yeah, that's an interesting one.
About 45%, 50% of the victims were CEOs, CEOs and founders.
About 70% were related to blockchain, you know, exchanges, but also venture capital, venture capital companies.
The geographic spread was over 20, 20 countries.
So, I mean, that tells you that this is a world resource operation with language capabilities, cultural awareness, to do social engineering across multiple regions.
and some of individuals that we have found that were victims of these were kind of like well known.
Some of them, you know, public figures, people in, you know, different industries that have a high profile.
It's a good reminder that these sorts of things can happen to anyone.
Absolutely. In terms of countries, the majority were focused on the United States, but we also found Singapore,
United Kingdom.
And we're seen since the publication of our research that they're expanding to other geographies
and other businesses too.
In terms of the attribution, what can you share with us in terms of evidence that supported
your high confidence attribution that this was the North Koreans?
Well, we typically talk, when we talk about attribution, we typically talk about several things.
you know, the indicators of compromise,
the infrastructure that they use.
As I said before, we're tracking these factors for a long time.
And if you look at the publications that we have done in the past,
you can see that this is not the first Bluner-off publication that we have done.
And the playbook, very, very distinct and the motivation.
The first motivation is, as I said before, financial to support the reggae.
and to bypass the embargoes, right, from the UN to this country.
But we're not the only ones that we have seen this.
There is other peers in the industry that have been reporting the same playbook coming out of Brunerov,
which always adds additional confidence to our assessment.
So what are the takeaways here for defenders?
What sort of things should security teams take away from your research?
Well, the first one that you already talked about,
It's, Dave, it's essentially training, right?
Proactive security training.
Security awareness.
This is one of the oldest things in cybersecurity,
knowing that, you know, you have to devalitate every single request,
recognize the red flags of phishing,
and routinely verify meeting requests,
especially when it is something that looks suspicious, right,
via a secondary contact method.
Browser security.
This is kind of a new field as well in cybersecurity.
Well, maybe not so new for those that we have been around for a long time.
But we see very specific threats against browsers these days.
There's a particular API, get user media that should only be available to like trusted domains.
Clipboard monitoring restrictions were feasible.
Email and calendar security as well.
Inspecting these invites, especially when,
when the invitations come from domains
that look like domains we'd recognize
whether or not really those domains.
And of course, threat intelligence,
threat modeling,
knowing exactly that if you are in the business of cryptocurrency,
if you have wallets with high value,
if you're a public figure,
if you have a high position in an organization,
know that these threat actors are going after you.
And knowing this should drive
the countermeasures.
This is what I usually call think right out blue, right?
Think it's an attacker to become a better defender.
You know, I think about an attack like this,
and particularly the element with Calendly,
I would fall for because I feel like this is such a part of my day-to-day,
responding to calendar invites,
sending out calendar invites,
meeting with people in these online conference sessions like you and I are doing right now.
It's such a part of my routine that I have to wonder would I stop to check because I'm in such a habit of doing this every day.
Well, it's funny you mentioned that, Dave, because I joined your podcast through this calendar invite.
First thing I did when I clicked on it, it's like, hold on us, before clicking on it, I was like, hold on a second.
Is this actually Dave or not?
Good for you.
But yeah, that's a reality.
No one is free from any of this.
But that's why you want to have like several controls along the way.
Because if something fails, it could be, you know, you under stress, checking, you know, doing something urgently on your phone.
Or at least you have other layers.
And also having the information, right?
Listening to this podcast, having the right information to say, hold on a second.
I'm going to, you know, verify and double check, especially this type of requests.
Our thanks to Ismail Valenzuela from Arctic Wolf for joining us.
The research is titled Blue Noroff uses ClickFix, Fileless PowerShell,
and AI-generated fake Zoom meetings to target the Web3 sector.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey
and the show notes or send an email to Cyberwire at N2K.com. This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Eibon.
Peter Kilpie is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.