BlueNoroff Uses Fake Zoom Meetings Weaponize Stolen Webcam Footage to Target Crypto Execs

North Korea's BlueNoroff state-sponsored hacking group is running an audacious, financially motivated campaign that uses fake Zoom meetings populated with AI-generated avatars and stolen video footage of real people to trick cryptocurrency executives into installing malware on their systems. According to a new report from Arctic Wolf, the threat actor steals webcam footage from each victim and then uses those videos to populate even more convincing fake Zoom meetings to target new victims, creating a self-reinforcing deepfake production pipeline.

Arctic Wolf found stolen images and videos of at least 100 individuals — nearly half of them CEOs or co-founders of their organizations — that the threat actor appears to have used as bait in the campaign. Eight out of 10 of the identified victims operated either in the cryptocurrency/blockchain and associated finance sectors. "This concentration underscores BlueNoroff's singular operational focus: individuals with access to cryptocurrency assets, wallet infrastructure, exchange platforms, or investment decision-making authority.

The attack chain begins with a BlueNoroff actor posing as a trusted contact — such as a legal executive, VC partner, or industry peer — sending a Calendly invite to the target. When the victim confirms a meeting, the threat actor covertly modifies the calendar invite and replaces it with a typo-squatted Zoom URL. When the victim clicks the link, they are directed to an HTML page that convincingly mimics a Zoom conference lobby, complete with fabricated participant avatars and pre-recorded clips mimicking a live meeting. When the victim grants microphone and camera access to join the fake meeting, the threat actor covertly begins siphons the webcam feed in real time for use in future attacks.

Seconds into the meeting, and seemingly to fix an errant audio issue, the victim receives a ClickFix prompt about their Zoom SDK needing an update. When the victim acts on the prompt instructions, it triggers a sequence of actions in the background that ends with multiple malicious payloads being installed on their systems, including payloads for persistence, command-and-control, credential harvesting, stealing from cryptocurrency wallets, and Telegram session theft. Arctic Wolf found the entire post-exploitation sequence, from initial click to full system compromise, happening in less than five minutes. In the incident that the security vendor investigated, BlueNoroff maintained persistence on the victim environment for 66 days.

One of the most alarming aspects of the campaign is how the attackers have established a self-reinforcing deepfake production pipeline that combines exfiltrated webcam footage from prior victims with AI-generated images to produce new fake meeting content. Arctic Wolf analyzed more than 950 files from the attacker's media hosting server, which showed the threat actor using three types of fake meeting participants: stolen footage of prior victims, AI-generated still images, and deepfake composite videos that combine AI-generated faces with actual human body motion.

The attacker's infrastructure is extensive and operationally active. BlueNoroff had more than 80 typo-squatted Zoom and Teams domains registered with just one hosting provider, with new ones being added on a continuous basis. The volume of distinct payload delivery URLs observed on VirusTotal confirms this is not an isolated operation but a sustained campaign targeting multiple organizations simultaneously.

For organizations, the most important takeaway is that this is a coordinated social engineering campaign designed to scale through compromised identities. Employees should verify meeting requests through a secondary channel, inspect calendar links for manipulation, and avoid executing commands during a call. Security teams should restrict webcam and microphone access to trusted domains and monitor for clipboard abuse, PowerShell activity, and unauthorized access to browser-stored credentials.