BlueNoroff APT Targets Crypto and Web3 Firms with AI Deepfakes and Fake Zoom Malware on macOS

The BlueNoroff advanced persistent threat (APT) group, a financially motivated subgroup of the North Korean Lazarus cluster, has escalated its attack sophistication by leveraging fake Zoom calls and AI-generated deepfakes to lure and compromise high-value targets in the cryptocurrency and Web3 sectors. This campaign, active since late 2025, employs a multi-stage social engineering and malware delivery chain that exploits trust in virtual meeting platforms, ultimately resulting in credential theft, persistent access, and large-scale cryptocurrency exfiltration. This advisory provides a comprehensive technical breakdown of the attack chain, malware components, exploitation tactics, and actionable mitigation strategies for organizations at risk.

BlueNoroff (also tracked as APT38, TA444, Sapphire Sleet, Stardust Chollima, Nickel Gladstone, and CageyChameleon) is a North Korean state-sponsored threat actor specializing in financially motivated cyber operations. Historically, BlueNoroff has targeted financial institutions, cryptocurrency exchanges, and fintech startups, with a focus on high-value theft and espionage. The group is known for its rapid adaptation to new technologies, use of sophisticated social engineering, and deployment of custom malware across Windows, macOS, and Linux platforms. BlueNoroff’s operations are closely aligned with North Korean strategic objectives, including sanctions evasion and funding of state activities.

The latest BlueNoroff campaign is characterized by a highly modular, cross-platform malware ecosystem and a complex social engineering pipeline. The attack chain unfolds as follows:

Initial access is achieved through spearphishing via Telegram or email, where attackers impersonate prominent figures in the cryptocurrency industry. Victims are invited to meetings via manipulated Calendly or Google Meet links, which redirect to typosquatted Zoom or Microsoft Teams domains under attacker control. During these fake meetings, AI-generated deepfake avatars and voices are used to impersonate company executives, increasing the credibility of the lure.

Victims are then instructed to download a malicious “Zoom extension” or “meeting support tool,” typically named zoom_sdk_support.scpt for macOS, from attacker-controlled domains such as support[.]us05web-zoom[.]biz. This AppleScript loader disables bash history, checks for Apple Silicon architecture, installs Rosetta 2 if necessary, and downloads additional payloads. The loader fetches and executes a series of implants, including:

• Telegram 2 (Nim-based persistent implant)
• Root Troy V4 (Go-based backdoor)
• InjectWithDyld (C++ loader for process injection)
• keyboardd/XScreen (keylogger and screen/clipboard capture utility)
• airmond/CryptoBot (Go-based infostealer targeting browser-based crypto wallets)
• Nim Implant (WebSocket-based C2 communication)

The malware ecosystem is designed for persistence, credential harvesting, and lateral movement. Persistence is achieved via Launch Daemons and manipulation of macOS system services. Credential access modules extract browser-stored passwords, session cookies, and private keys from a wide range of cryptocurrency wallet extensions, including MetaMask, Binance, Phantom, Trust, OKX, and others. Clipboard monitoring modules implement “ClickFix”-style attacks, replacing copied wallet addresses with attacker-controlled addresses in real time.

Command and control (C2) infrastructure is highly dynamic, leveraging over 80 typosquatted domains registered between late 2025 and March 2026. C2 communication occurs over HTTPS, WebSockets, and the Telegram Bot API for exfiltration of screenshots and keystrokes.

MITRE ATT&CK mapping for this campaign includes: - T1566.002 (Spearphishing via Service) - T1059.002 (AppleScript Execution) - T1547.001 (Launch Daemon Persistence) - T1555 (Credentials from Password Stores) - T1113 (Screen Capture) - T1056.001 (Keylogging) - T1041 (Exfiltration Over C2 Channel)

BlueNoroff’s campaign has been observed targeting over 100 cryptocurrency organizations across more than 20 countries, with the highest concentration in the United States, Singapore, and the United Kingdom. Approximately 80% of victims operate in the crypto/blockchain finance sector, and 45% are C-level executives or founders. The attack lifecycle is rapid: from initial contact to full compromise can occur in under five minutes, while attackers have maintained persistent access for up to 66 days in some cases.

A notable innovation in this campaign is the use of exfiltrated webcam footage, which is merged with AI-generated deepfake imagery to create new, highly convincing lures for subsequent victims. This recursive exploitation pipeline enables BlueNoroff to scale its attacks and maintain a high success rate. Clipboard injection attacks have resulted in direct theft of cryptocurrency assets, while compromised Telegram accounts are used to propagate the attack to new targets, creating a self-sustaining infection chain.

The primary targets of this campaign are cryptocurrency exchanges, Web3 startups, blockchain foundations, and fintech organizations. BlueNoroff’s victimology is characterized by a focus on individuals with privileged access to digital assets, such as CEOs, CTOs, and wallet administrators. The group employs extensive reconnaissance to identify high-value targets, often leveraging public information from LinkedIn, Twitter, and company websites. Geographic targeting is global but weighted toward regions with active crypto sectors, including North America, Southeast Asia, and Western Europe.

Organizations should implement a multi-layered defense strategy to mitigate the risk posed by BlueNoroff’s campaign. Key recommendations include:

Monitor and block the provided indicators of compromise (IOCs), including file hashes and domains such as support[.]us05web-zoom[.]biz, metamask[.]awaitingfor[.]site, productnews[.]online, firstfromsep[.]online, safefor[.]xyz, and readysafe[.]xyz. Conduct regular audits for unauthorized AppleScript execution and suspicious Launch Daemons on all macOS endpoints. Investigate any requests to install Zoom extensions or plugins, especially those originating from non-official domains or received via unsolicited communications. Monitor for clipboard manipulation and unauthorized access to browser-based cryptocurrency wallet extensions. Train staff to recognize deepfake lures and verify the authenticity of meeting invites, particularly those involving urgent requests or unfamiliar contacts. Enforce least privilege and strong authentication for all users, especially those with access to sensitive crypto assets. Establish robust incident response procedures and ensure that all endpoints are monitored for anomalous behavior indicative of BlueNoroff TTPs.

Infosecurity Magazine: North Korean Hackers Target Crypto Firms with ClickFix and AI-Made Zoom Lures https://www.infosecurity-magazine.com/news/bluenoroff-dprk-hackers-target/

Huntress: Inside the BlueNoroff Web3 macOS Intrusion Analysis https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis

Picus Security: BlueNoroff Group - The Financial Cybercrime Arm of Lazarus https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus

MITRE ATT&CK: BlueNoroff https://attack.mitre.org/groups/G0102/

Arctic Wolf Labs Report (April 2026) - referenced in Infosecurity Magazine

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring resilience in an evolving cyber landscape.

For further details or incident response support, we are happy to answer questions at ops@rescana.com.