Skip to content
.ca
sign in
9 mincritical

BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector

Arctic Wolf Labs identified a highly targeted campaign by the DPRK-nexus threat actor BlueNoroff against the Web3 sector. The attackers utilize sophisticated social engineering, including AI-generated deepfakes and stolen webcam footage, to lure victims into fake Zoom or Teams meetings. Once engaged, a ClickFix clipboard injection attack deploys a fileless PowerShell C2 implant, leading to the theft of cryptocurrency wallets, browser credentials, and Telegram sessions.

Sens:ImmediateConf:highAnalyzed:2026-04-27reports

Authors: Arctic Wolf Labs

ActorsBlueNoroffLazarus GroupAPT38Sapphire SleetTA444Stardust ChollimaCageyChameleonNickel GladstoneSnatchCryptofake conference
DeepfakeWeb3PowerShellClickFixBlueNoroff

Source:Arctic Wolf

IOCs · 4

Detection / Hunter

What Happened

Hackers from North Korea are targeting executives at cryptocurrency and Web3 companies using highly convincing fake video meetings. They use stolen video footage and AI-generated faces to make the meetings look real, then trick the victim into copying and pasting a malicious code snippet to 'fix' a fake audio issue. This allows the hackers to secretly install software that steals passwords, cryptocurrency wallets, and private messages. Organizations should train employees to be highly suspicious of meeting links that require running computer commands to join, and verify unexpected meeting requests through a secondary communication channel.

Key Takeaways

  • BlueNoroff targets Web3 and cryptocurrency executives using AI-generated deepfakes and stolen webcam footage in fake Zoom and Teams meetings.
  • The attack chain utilizes a ClickFix clipboard injection technique to deliver fileless PowerShell C2 implants.
  • Post-exploitation activities include stealing Telegram sessions, enumerating software, and extracting browser credentials by bypassing Chrome's app-bound encryption.
  • Persistence is achieved via a Startup LNK file that executes a bootstrap payload to re-fetch the C2 implant.
  • The threat actor operates a globally distributed campaign, heavily focused on CEOs and Founders in the cryptocurrency sector.

Affected Systems

  • Windows
  • macOS
  • Linux
  • Chromium-based browsers (Chrome, Edge, Brave, Opera)
  • Telegram Desktop

Attack Chain

The attack begins with a spear-phishing Calendly invite that leads to a typo-squatted Zoom or Teams link. The victim is presented with a fake meeting interface that exfiltrates their webcam feed and prompts a fake SDK update using a ClickFix clipboard injection technique. This executes a PowerShell downloader that fetches a fileless C2 implant, which then deploys modules to steal Telegram sessions, enumerate software, and inject a credential stealer into Chromium browser processes. Persistence is maintained via a Startup LNK file that re-executes the C2 implant upon reboot.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: GitHub (Arctic Wolf Labs)

YARA rules for the identified payloads are available in the Arctic Wolf Labs public GitHub repository.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on PowerShell execution, process injection into browsers, and specific COM object instantiation, all of which are highly visible to modern EDR solutions. Network Visibility: Medium — While initial C2 and exfiltration use HTTP/HTTPS and WSS, the traffic blends with legitimate web traffic. However, specific hardcoded endpoints and unique headers (Auth, mid) can be detected. Detection Difficulty: Moderate — The fileless nature and in-memory execution of payloads increase difficulty, but the specific behavioral patterns (e.g., PowerShell spawning csc.exe, browser injection) provide strong detection opportunities.

Required Log Sources

  • Event ID 4104 (PowerShell Script Block Logging)
  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • File Creation (Sysmon Event ID 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for powershell.exe spawning csc.exe, which indicates runtime C# compilation often used by this threat actor for dynamic API resolution.Process CreationExecutionLow
Search for non-browser processes calling CoCreateInstance with CLSCTX_LOCAL_SERVER targeting browser COM CLSIDs (IElevator interface), indicating an attempt to bypass Chrome app-bound encryption.API Monitoring / EDR TelemetryCredential AccessLow
Identify process injection events targeting Chromium browser processes (chrome.exe, msedge.exe, brave.exe) specifically where the command line contains 'network.mojom'.Process Injection / EDR TelemetryDefense Evasion / Credential AccessLow
Monitor for the creation of LNK files in the Startup folder that execute PowerShell commands, particularly those reading from .log files in the %TEMP% or %USERPROFILE% directories.File Creation / Process CreationPersistenceLow

Control Gaps

  • Lack of clipboard protection/monitoring in browsers
  • Insufficient restrictions on getUserMedia API

Key Behavioral Indicators

  • PowerShell scripts containing Base64 combined with XOR 0x43 obfuscation
  • Presence of specific strings in memory: '[*] DecryptionOrchestrator void Run()', 'app_bound_encrypted_key not found.'
  • Creation of files named chromechip.log or chrome-debug-data001.log

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Isolate affected hosts and revoke all active sessions (Telegram, browser credentials, OAuth tokens).
  • Force password resets for all credentials stored in compromised browsers.
  • Remove identified persistence mechanisms (Startup LNK and .log files).

Infrastructure Hardening

  • Block identified C2 IPs and typo-squatted domains at the network perimeter.
  • Implement calendar invite inspection for modified meeting links.
  • Deploy browser policies restricting access to the getUserMedia API to trusted domains.

User Protection

  • Enable two-factor authentication (2FA) on all critical accounts, including Telegram.
  • Deploy EDR rules to alert on non-browser processes accessing Login Data or Local State SQLite databases.

Security Awareness

  • Train employees to recognize the ClickFix clipboard injection technique and emphasize that legitimate video conferencing platforms never require running terminal commands.
  • Educate users on the risks of AI-generated deepfakes and the importance of verifying meeting requests via secondary channels.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1125 - Video Capture
  • T1115 - Clipboard Data
  • T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
  • T1055 - Process Injection
  • T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
  • T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Additional IOCs

  • Ips:
    • 104[.]145[.]210[.]107 - Exfiltration server for browser artifacts and software inventory.
    • 188[.]227[.]197[.]32 - Hosting IP for multiple typo-squatted Zoom and Teams domains.
    • 23[.]254[.]226[.]83 - Infrastructure IP hosting additional typo-squatted domains.
  • Domains:
    • uu01webzoom[.]us - Typo-squatted Zoom domain.
    • teams[.]livesmeet[.]us - Typo-squatted Teams domain.
    • teams[.]livesmeets[.]us - Typo-squatted Teams domain.
    • zoom[.]ue01web[.]us - Typo-squatted Zoom domain.
    • zoom[.]un01web[.]us - Typo-squatted Zoom domain.
    • pd[.]uc05web[.]us - Typo-squatted Zoom domain.
    • thriddata[.]com - Domain used for camera exfiltration in Teams HTTP POST variants.
    • check02id[.]com - Endpoint for screenshot upload (Method #1).
    • teams-live[.]org - Typo-squatted Teams domain.
    • ms-live[.]com - Typo-squatted Microsoft domain.
    • teams-live[.]us - Typo-squatted Teams domain.
    • gmeet[.]cam - Typo-squatted Google Meet domain.
    • gmeet[.]us[.]com - Typo-squatted Google Meet domain.
    • recaptcha[.]work - Attacker-controlled domain.
    • smart-meeting[.]online - Attacker-controlled fake meeting domain.
    • web01zoom[.]com - Typo-squatted Zoom domain.
    • www[.]curio[.]com - Spoofed domain mimicking CurioInvest.
  • Urls:
    • hxxps://uu03webzoom[.]us/developer/sdk/update/version/[REDACTED] - Stage 2 PowerShell downloader URL.
    • hxxps://uu03webzoom[.]us/developer/sdk/fix/2/version/Ivo55HpFm - Stage 3 payload download URL.
    • hxxps://83[.]136[.]209[.]22:8444/download?id=8766ceb975cadedca38aad72091017cdb5d3e4c8f8af0441 - AES-encrypted shellcode download URL.
    • hxxps://83[.]136[.]209[.]22:8444/upload - Exfiltration endpoint for browser injection shellcode output.
    • hxxp://check02id[.]com:7365/hello - Screenshot upload endpoint.
    • hxxps://api[.]telegram[.]org/bot<token>/sendPhoto - Telegram Bot API endpoint for screenshot exfiltration.
    • wss://uxlink[.]mslive[.]us - WebSocket endpoint for Teams video exfiltration.
    • wss://nubit[.]teams-live[.]org - WebSocket endpoint for Teams video exfiltration.
    • wss://bitlayer[.]teams-meet[.]us - WebSocket endpoint for Teams video exfiltration.
  • File Hashes:
    • 6030338469819129924C6E01E110145A128CA3D944CD4B696ABC7925A1840001 (SHA256) - khjx0fvf.dll - compiled C# screenshot capture code.
    • a37cb38b178833f15bf13fd5fa622b694c2244230ac0be33e75680c71dc08a08 (SHA256) - Screenshot capture script.
    • EDD0301FFB793169B1314C59C0EF3A98D5793C0441DD43A7C484D61DEB4F107F (SHA256) - pfx4cshy.dll - compiled C# injector class (kernel32).
    • dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1 (SHA256) - comBypassUacDLL.x64.dll - UAC bypass DLL.
  • Registry Keys:
    • HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* - Registry path enumerated for installed software discovery.
    • HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* - Registry path enumerated for installed software discovery.
    • HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* - Registry path enumerated for installed software discovery.
  • File Paths:
    • %TEMP%\chromechip.log - Stage 3 in-memory PowerShell C2 implant dropped to disk.
    • %TEMP%\tel_<username>.zip - Staged Telegram session data archive.
    • %TEMP%\lg_<username> - Staged software enumeration CSV file.
    • %TEMP%\ext_<username>.zip - Staged browser artifact archive.
    • %TEMP%\cps_<username>.zip - Staged browser credential extraction archive.
    • C:\Users\Public\log.ini - Master extraction log for the browser credential stealer.
    • C:\Users\Public\pchr.csv - Extracted Chrome credentials.
    • C:\Users\Public\pmse.csv - Extracted Edge credentials.
    • C:\Users\Public\pbra.csv - Extracted Brave credentials.
    • %USERPROFILE%\chrome-debug-data001.log - Bootstrap payload for persistence.
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update - Certificated.lnk - Startup shortcut file for persistence.
  • Command Lines:
    • Purpose: Decoy commands mixed with PowerShell payload delivery via ClickFix. | Tools: cmd.exe, powershell.exe | Stage: Initial Access / Execution | cmd set ZOOM_API_KEY=
    • Purpose: Download and execute Stage 2 payload. | Tools: powershell.exe | Stage: Execution
    • Purpose: Execute Stage 3 payload from dropped log file. | Tools: powershell.exe | Stage: Execution
    • Purpose: Exfiltrate data using curl. | Tools: curl.exe | Stage: Exfiltration
    • Purpose: Execute bootstrap payload for persistence. | Tools: powershell.exe | Stage: Persistence | powershell.exe -ep Bypass -c "Get-Content '<filepath>' | iex"
  • Other:
    • 7016628218 - Telegram Chat ID used for screenshot exfiltration.
    • fwyan48umt1vimwqcqvhdd9u72a7qysi - Authentication header token for exfiltration.
    • ufjqsmjsaydc9ub6t1e0psn8183lvu2z - Authentication header token for AES payload download.
    • WIN-33SPJA5NN31 - Common Name of self-signed X.509 certificate used on attacker infrastructure.

Related