BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures

CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE NEWS BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures The North Korean group is using stolen victim videos, AI-generated avatars, and fake Zoom calls to scale malware attacks against cryptocurrency executives. Jai Vijayan,Contributing Writer April 28, 2026 4 Min Read SOURCE: SMILE STUDIO AP VIA SHUTTERSTOCK North Korea's BlueNoroff state-sponsored hacking group is targeting cryptocurrency executives in an audacious, financially motivated campaign that uses fake Zoom meetings populated with AI-generated avatars and stolen video footage of real people to trick victims into installing malware on their systems. What makes the campaign particularly insidious, according to a new report from Arctic Wolf, is how the threat actor steals webcam footage from each victim and then uses those videos to populate even more convincing fake Zoom meetings to target new victims.  Insidious Campaign Arctic Wolf found stolen images and videos of at least 100 individuals — nearly half of them CEOs or co-founders of their organizations — that the threat actor appears to have used as bait in the campaign.  Eight out of 10 of the identified victims operated either in the cryptocurrency/blockchain and associated finance sectors. "This concentration underscores BlueNoroff's singular operational focus: individuals with access to cryptocurrency assets, wallet infrastructure, exchange platforms, or investment decision-making authority," Arctic Labs said in a report this week. Related:Glasswing Secured the Code. The Rest of Your Stack Is Still on You One incident that Arctic Wolf investigated involved a senior executive at a US-based Web3 cryptocurrency company. The attack chain began with a BlueNoroff actor posing as the head of legal at an international consulting and law firm in the fintech and crypto sector, sending a Calendly invite to the target. The purported "catch-up" meeting was scheduled late last summer for five months in the future (January 2026). When the victim confirmed the meeting, a Google Meet calendar invite was generated, which the threat actor then covertly modified and replaced with a typo-squatted Zoom URL. “From the target's perspective, the attack begins as a legitimate business interaction, often through a compromised Telegram account, Calendly invite, or calendar workflow impersonating a trusted contact such as a legal executive, VC partner, or industry peer," says Ismael Valenzuela, VP of labs, threat research and intelligence at Arctic Wolf. "The pretext is a routine meeting." Loading... When the victim in Arctic Wolf's investigation clicked the link this past January, they were directed to a HTML page that convincingly mimicked a Zoom conference lobby, complete with fabricated participant avatars and pre-recorded clips mimicking a live meeting. When the victim granted microphone and camera access to join the fake meeting, the threat actor covertly began siphoning the webcam feed in real time, for use in future attacks. Related:Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia "[The victim sees] a realistic meeting interface populated with recognizable participants, which may include stolen webcam footage from prior victims, scraped images, or AI-generated headshots tailored to their network," Valenzuela says. "The meeting appears active, with moving participant tiles and shifting speaker indicators, but there is no real conversation, and audio often appears not to function," Valenzuela explains.   From Initial Click to Total Compromise in Minutes Seconds into the "meeting," and seemingly to fix the errant audio issue, the victim received a ClickFix prompt about their Zoom SDK needing an update. When the victim acted on the prompt instructions it triggered a sequence of actions in the background that ended with multiple malicious payloads being installed on their systems, including those for persistence, command-and-control, credential harvesting, stealing from crypto currency wallets, and Telegram session theft. Arctic Wolf found the entire post-exploitation sequence, from initial click to full system compromise, including credential theft and persistent access, happening in less than five minutes. In the incident that the security vendor investigated, BlueNoroff maintained persistence on the victim environment for 66 days. Related:DPRK Fake Job Scams Self-Propagate in 'Contagious Interview' One of the most alarming aspects of the campaign is how the attackers have established a "self-reinforcing deepfake production pipeline" that combined exfiltrated webcam footage from prior victims with AI-generated images to produce new fake meeting content, according to Arctic Wolf. The vendor analyzed more than 950 files from the attacker's media hosting server, which showed the threat actor using three types of fake meeting participants in its campaign: stolen footage of prior victims, AI-generated still images, and deepfake composite videos that combined AI-generated faces with actual human body motion. "The attacker's infrastructure is extensive and operationally active," Arctic Wolf added. For example, BlueNoroff had more than 80 typo-squatted Zoom and Teams domains registered with just one hosting provider, with new ones being added on a continuous basis. "The volume of distinct payload delivery URLs observed on VirusTotal confirms this is not an isolated operation, but a sustained campaign targeting multiple organizations simultaneously," the security vendor said. For organizations, the most important takeaway is that this is a coordinated social engineering campaign designed to scale through compromised identities, Valenzuela says. "Employees should verify meeting requests through a secondary channel, inspect calendar links for manipulation and avoid executing commands during a call," he advises. "Security teams should restrict webcam and microphone access to trusted domains and monitor for clipboard abuse, PowerShell activity, and unauthorized access to browser-stored credentials." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBERATTACKS & DATA BREACHES Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered byKelly Jackson Higgins FEB 26, 2013 5 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars White Papers 7 best practices for secrets lifecycle management Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS