{"id":12472,"date":"2026-04-29T10:01:28","date_gmt":"2026-04-29T10:01:28","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/29\/new-bluenoroff-campaign-uses-fileless-powershell-and-ai-generated-zoom-lures\/"},"modified":"2026-04-29T10:01:28","modified_gmt":"2026-04-29T10:01:28","slug":"new-bluenoroff-campaign-uses-fileless-powershell-and-ai-generated-zoom-lures","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/29\/new-bluenoroff-campaign-uses-fileless-powershell-and-ai-generated-zoom-lures\/","title":{"rendered":"New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures"},"content":{"rendered":"<p>    New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A dangerous new cyber campaign from North Korea\u2019s Lazarus Group is targeting cryptocurrency and Web3 professionals using fake Zoom meeting interfaces, fileless PowerShell scripts, and AI-generated deepfake content. <\/p>\n<p>The group behind this activity is BlueNoroff, a financially motivated subgroup known for stealing digital assets. <\/p>\n<p>This campaign has spread across more than 20 countries, with the United States making up 41% of all identified victims.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d3fcd8a5-5874-4ef8-a392-57963dbc19e5\/New-BlueNoroff-Campaign-Uses-Fileless-PowerShell-and-AI-Generated-Zoom-Lures.pdf?AWSAccessKeyId=ASIA2F3EMEYESWMD54G5&amp;Signature=%2Fd%2Fn%2B0%2FCetg%2BzLHiT2KeOROiRyY%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJGMEQCIEM%2FzIooGhDkuY4fWZf3D%2B5bt5UCBVHMljTncz8loi8NAiAVecQY%2F%2BF0%2F6GdOcM5%2Bw1lsDN37W7fmdXriGJhScS58Sr8BAjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfb%2BBt%2BeR%2B0deg%2FnIKtAEAKZ4vyaapknOZ3F66G22m17uGpctjCx6FdsOPUj5C3hNaElnloW3iSzqM6Ya%2BG5KfeXv3qLEOOlVIQhsxwbbjV1HZtu07yxJMvVD6V4ksHxUyI01pVpQPIqqPxScMsOg0ePagHKYYMrP43wDjsKhJwDM%2FmEyON0S0FhQwgIcifRVR6c71ms0qjst5SJw7b%2FTWn54ddvgLP7q2XXRY7kru7vJGcySDWQMUrLCSgLm4dceyLhpiglR6%2B3Jq72eBh0j4Xv%2FMGR72utQ1Q6Fmszf5M4c%2Bs7EqDceA8nQQqj8UTLGXqyfIoO9TAec7kQfdExaVIKl%2BvJEPqrLAOx7GoGrkYR9jVbGVLOmRSMBq7I5bJc8Hd0FVDyjOH40aTSo%2BDbm8nH1LMaLRUUB8P3MHHZGZnHztT3hYNbTwTFnCxDC8PvKZ9Cr9beDv8r%2BWHDt%2FVSPsbe14YobjsnuslKJP1aYBWjNdlWxjsHpuaKP5ifCo%2BcqvO84710iUs5KKUVjcJjYSpdKLR6%2Bkh92DxW6TR2OSli8bo9%2FZ6l6g8ZLRY%2BxNVIbzgTJ4C5iOngIwQxhLDZjJAmdhtHldXdWeyZusq1Cu%2F7rHJA9O%2F9UrWE2kTzLNGQHMsA7E6EAtBVREqPeDDI9NY4FYJSIDkkIVcw54IzmmjqiGRQ1z1YKicTqXp5omH38Z0c%2BBMM7%2FN37RJ3kDKj3yZW4kvtR2cM4G4yCXYtKmAh0%2FqChlCxvQXlSPdegrWpH1Nq3p9L55a5BX5H3G75RyE7TAuuEOt5wFxQXXfCLBzDoxcbPBjqZAYUuAfD0hw2Y%2BfJH7j9GUv81uycGdCH811xOOEKFT6HuW%2Bdn8Xi%2Buy9fnNpOoDfpFmixLk6gBb%2BMl2mxGVQr5tS8Vha9TrpbwaqBOazR%2Fd0gkf9%2FnM%2BzhMZry9jY9O%2FBxIKgGpEWdXvuHyhCLljqgsNpZi60nTLfU8dubcJe6wjOHOzHGufWJi9svgSpNLLck%2B%2BnmQ9SD17gZg%3D%3D&amp;Expires=1777445187\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The attack begins with a <a href=\"https:\/\/cybersecuritynews.com\/new-spear-phishing-attack-delivers-vip-keylogger\/\" id=\"119147\" target=\"_blank\" rel=\"noreferrer noopener\">spear-phishing email<\/a>. The threat actor pretends to be a legal professional in the Fintech space and sends a Calendly invite to the target. <\/p>\n<p>Once the victim confirms the meeting, the attacker quietly replaces the Google Meet link with a typo-squatted Zoom URL designed to look nearly identical to a real one. <\/p>\n<p>When the victim clicks the fake link, their browser loads a self-contained HTML page that looks exactly like the <a href=\"https:\/\/cybersecuritynews.com\/new-phishing-attack-mimic-as-zoom-meeting-invites\/\" id=\"107108\" target=\"_blank\" rel=\"noreferrer noopener\">Zoom meeting<\/a> interface, complete with fake participant video tiles, looping footage, and a cycling active speaker indicator.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d3fcd8a5-5874-4ef8-a392-57963dbc19e5\/New-BlueNoroff-Campaign-Uses-Fileless-PowerShell-and-AI-Generated-Zoom-Lures.pdf?AWSAccessKeyId=ASIA2F3EMEYESWMD54G5&amp;Signature=%2Fd%2Fn%2B0%2FCetg%2BzLHiT2KeOROiRyY%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJGMEQCIEM%2FzIooGhDkuY4fWZf3D%2B5bt5UCBVHMljTncz8loi8NAiAVecQY%2F%2BF0%2F6GdOcM5%2Bw1lsDN37W7fmdXriGJhScS58Sr8BAjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfb%2BBt%2BeR%2B0deg%2FnIKtAEAKZ4vyaapknOZ3F66G22m17uGpctjCx6FdsOPUj5C3hNaElnloW3iSzqM6Ya%2BG5KfeXv3qLEOOlVIQhsxwbbjV1HZtu07yxJMvVD6V4ksHxUyI01pVpQPIqqPxScMsOg0ePagHKYYMrP43wDjsKhJwDM%2FmEyON0S0FhQwgIcifRVR6c71ms0qjst5SJw7b%2FTWn54ddvgLP7q2XXRY7kru7vJGcySDWQMUrLCSgLm4dceyLhpiglR6%2B3Jq72eBh0j4Xv%2FMGR72utQ1Q6Fmszf5M4c%2Bs7EqDceA8nQQqj8UTLGXqyfIoO9TAec7kQfdExaVIKl%2BvJEPqrLAOx7GoGrkYR9jVbGVLOmRSMBq7I5bJc8Hd0FVDyjOH40aTSo%2BDbm8nH1LMaLRUUB8P3MHHZGZnHztT3hYNbTwTFnCxDC8PvKZ9Cr9beDv8r%2BWHDt%2FVSPsbe14YobjsnuslKJP1aYBWjNdlWxjsHpuaKP5ifCo%2BcqvO84710iUs5KKUVjcJjYSpdKLR6%2Bkh92DxW6TR2OSli8bo9%2FZ6l6g8ZLRY%2BxNVIbzgTJ4C5iOngIwQxhLDZjJAmdhtHldXdWeyZusq1Cu%2F7rHJA9O%2F9UrWE2kTzLNGQHMsA7E6EAtBVREqPeDDI9NY4FYJSIDkkIVcw54IzmmjqiGRQ1z1YKicTqXp5omH38Z0c%2BBMM7%2FN37RJ3kDKj3yZW4kvtR2cM4G4yCXYtKmAh0%2FqChlCxvQXlSPdegrWpH1Nq3p9L55a5BX5H3G75RyE7TAuuEOt5wFxQXXfCLBzDoxcbPBjqZAYUuAfD0hw2Y%2BfJH7j9GUv81uycGdCH811xOOEKFT6HuW%2Bdn8Xi%2Buy9fnNpOoDfpFmixLk6gBb%2BMl2mxGVQr5tS8Vha9TrpbwaqBOazR%2Fd0gkf9%2FnM%2BzhMZry9jY9O%2FBxIKgGpEWdXvuHyhCLljqgsNpZi60nTLfU8dubcJe6wjOHOzHGufWJi9svgSpNLLck%2B%2BnmQ9SD17gZg%3D%3D&amp;Expires=1777445187\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/arcticwolf.com\/resources\/blog\/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector\/\" id=\"https:\/\/arcticwolf.com\/resources\/blog\/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Arctic Wolf analysts identified this targeted intrusion<\/a> against a North American Web3 and cryptocurrency company, attributing it with high confidence to BlueNoroff, also tracked as APT38, Sapphire Sleet, and Stardust Chollima. <\/p>\n<p>Researchers found that the full attack chain, from the initial click to complete system compromise, finished in under five minutes. <\/p>\n<p>Forensic analysis confirmed the attacker maintained persistent access on the victim\u2019s device for 66 days, stealing browser credentials, Telegram session data, and live webcam footage that was then reused to build more convincing lures for future targets.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d3fcd8a5-5874-4ef8-a392-57963dbc19e5\/New-BlueNoroff-Campaign-Uses-Fileless-PowerShell-and-AI-Generated-Zoom-Lures.pdf?AWSAccessKeyId=ASIA2F3EMEYESWMD54G5&amp;Signature=%2Fd%2Fn%2B0%2FCetg%2BzLHiT2KeOROiRyY%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJGMEQCIEM%2FzIooGhDkuY4fWZf3D%2B5bt5UCBVHMljTncz8loi8NAiAVecQY%2F%2BF0%2F6GdOcM5%2Bw1lsDN37W7fmdXriGJhScS58Sr8BAjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfb%2BBt%2BeR%2B0deg%2FnIKtAEAKZ4vyaapknOZ3F66G22m17uGpctjCx6FdsOPUj5C3hNaElnloW3iSzqM6Ya%2BG5KfeXv3qLEOOlVIQhsxwbbjV1HZtu07yxJMvVD6V4ksHxUyI01pVpQPIqqPxScMsOg0ePagHKYYMrP43wDjsKhJwDM%2FmEyON0S0FhQwgIcifRVR6c71ms0qjst5SJw7b%2FTWn54ddvgLP7q2XXRY7kru7vJGcySDWQMUrLCSgLm4dceyLhpiglR6%2B3Jq72eBh0j4Xv%2FMGR72utQ1Q6Fmszf5M4c%2Bs7EqDceA8nQQqj8UTLGXqyfIoO9TAec7kQfdExaVIKl%2BvJEPqrLAOx7GoGrkYR9jVbGVLOmRSMBq7I5bJc8Hd0FVDyjOH40aTSo%2BDbm8nH1LMaLRUUB8P3MHHZGZnHztT3hYNbTwTFnCxDC8PvKZ9Cr9beDv8r%2BWHDt%2FVSPsbe14YobjsnuslKJP1aYBWjNdlWxjsHpuaKP5ifCo%2BcqvO84710iUs5KKUVjcJjYSpdKLR6%2Bkh92DxW6TR2OSli8bo9%2FZ6l6g8ZLRY%2BxNVIbzgTJ4C5iOngIwQxhLDZjJAmdhtHldXdWeyZusq1Cu%2F7rHJA9O%2F9UrWE2kTzLNGQHMsA7E6EAtBVREqPeDDI9NY4FYJSIDkkIVcw54IzmmjqiGRQ1z1YKicTqXp5omH38Z0c%2BBMM7%2FN37RJ3kDKj3yZW4kvtR2cM4G4yCXYtKmAh0%2FqChlCxvQXlSPdegrWpH1Nq3p9L55a5BX5H3G75RyE7TAuuEOt5wFxQXXfCLBzDoxcbPBjqZAYUuAfD0hw2Y%2BfJH7j9GUv81uycGdCH811xOOEKFT6HuW%2Bdn8Xi%2Buy9fnNpOoDfpFmixLk6gBb%2BMl2mxGVQr5tS8Vha9TrpbwaqBOazR%2Fd0gkf9%2FnM%2BzhMZry9jY9O%2FBxIKgGpEWdXvuHyhCLljqgsNpZi60nTLfU8dubcJe6wjOHOzHGufWJi9svgSpNLLck%2B%2BnmQ9SD17gZg%3D%3D&amp;Expires=1777445187\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>What makes this campaign especially damaging is its self-reinforcing deepfake production pipeline. Analysts uncovered more than 950 files on the attacker\u2019s hosting server, including AI-generated headshot images confirmed via C2PA cryptographic metadata as outputs of OpenAI\u2019s GPT-4o model, real webcam footage stolen from prior victims, and deepfake composite videos. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiRuLUyE46q9s3Pe9NIHLioywkZNZlC7zpjzbxbxv8EulrGtFNrWe77jaH3EO8ujIaDc0isBa-ttKvetzDYEUe0Gj5dzS1wFCwjX_1APsoicIfLScLX8vWaDGf79R7qL0yWla8t56EyDCXtibzQe2I9BWpEjmXjTsCyUib-EipJ-56xnEuOAl48Hzd5-yw\/s16000\/DM%2520screenshot%2520showing%2520a%2520compromised%2520Telegram%2520account%2520impersonating%2520a%2520previous%2520victim%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\" alt=\"DM screenshot showing a compromised Telegram account impersonating a previous victim (Source - Arctic Wolf)\"><figcaption class=\"wp-element-caption\">DM screenshot showing a compromised Telegram account impersonating a previous victim (Source \u2013 Arctic Wolf)<\/figcaption><\/figure>\n<\/div>\n<p>Each successful attack feeds raw material into the next, making future meetings more convincing. CEOs and founders account for 45% of all identified targets, reflecting BlueNoroff\u2019s focus on individuals with direct access to cryptocurrency assets and wallet infrastructure.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d3fcd8a5-5874-4ef8-a392-57963dbc19e5\/New-BlueNoroff-Campaign-Uses-Fileless-PowerShell-and-AI-Generated-Zoom-Lures.pdf?AWSAccessKeyId=ASIA2F3EMEYESWMD54G5&amp;Signature=%2Fd%2Fn%2B0%2FCetg%2BzLHiT2KeOROiRyY%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJGMEQCIEM%2FzIooGhDkuY4fWZf3D%2B5bt5UCBVHMljTncz8loi8NAiAVecQY%2F%2BF0%2F6GdOcM5%2Bw1lsDN37W7fmdXriGJhScS58Sr8BAjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfb%2BBt%2BeR%2B0deg%2FnIKtAEAKZ4vyaapknOZ3F66G22m17uGpctjCx6FdsOPUj5C3hNaElnloW3iSzqM6Ya%2BG5KfeXv3qLEOOlVIQhsxwbbjV1HZtu07yxJMvVD6V4ksHxUyI01pVpQPIqqPxScMsOg0ePagHKYYMrP43wDjsKhJwDM%2FmEyON0S0FhQwgIcifRVR6c71ms0qjst5SJw7b%2FTWn54ddvgLP7q2XXRY7kru7vJGcySDWQMUrLCSgLm4dceyLhpiglR6%2B3Jq72eBh0j4Xv%2FMGR72utQ1Q6Fmszf5M4c%2Bs7EqDceA8nQQqj8UTLGXqyfIoO9TAec7kQfdExaVIKl%2BvJEPqrLAOx7GoGrkYR9jVbGVLOmRSMBq7I5bJc8Hd0FVDyjOH40aTSo%2BDbm8nH1LMaLRUUB8P3MHHZGZnHztT3hYNbTwTFnCxDC8PvKZ9Cr9beDv8r%2BWHDt%2FVSPsbe14YobjsnuslKJP1aYBWjNdlWxjsHpuaKP5ifCo%2BcqvO84710iUs5KKUVjcJjYSpdKLR6%2Bkh92DxW6TR2OSli8bo9%2FZ6l6g8ZLRY%2BxNVIbzgTJ4C5iOngIwQxhLDZjJAmdhtHldXdWeyZusq1Cu%2F7rHJA9O%2F9UrWE2kTzLNGQHMsA7E6EAtBVREqPeDDI9NY4FYJSIDkkIVcw54IzmmjqiGRQ1z1YKicTqXp5omH38Z0c%2BBMM7%2FN37RJ3kDKj3yZW4kvtR2cM4G4yCXYtKmAh0%2FqChlCxvQXlSPdegrWpH1Nq3p9L55a5BX5H3G75RyE7TAuuEOt5wFxQXXfCLBzDoxcbPBjqZAYUuAfD0hw2Y%2BfJH7j9GUv81uycGdCH811xOOEKFT6HuW%2Bdn8Xi%2Buy9fnNpOoDfpFmixLk6gBb%2BMl2mxGVQr5tS8Vha9TrpbwaqBOazR%2Fd0gkf9%2FnM%2BzhMZry9jY9O%2FBxIKgGpEWdXvuHyhCLljqgsNpZi60nTLfU8dubcJe6wjOHOzHGufWJi9svgSpNLLck%2B%2BnmQ9SD17gZg%3D%3D&amp;Expires=1777445187\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"the-clickfix-payload-delivery\"><strong>The ClickFix Payload Delivery<\/strong><\/h2>\n<p>Once the victim enters the <a href=\"https:\/\/cybersecuritynews.com\/north-korean-hackers-using-fake-zoom-invites\/\" id=\"116232\" target=\"_blank\" rel=\"noreferrer noopener\">fake Zoom<\/a> meeting, a persistent overlay appears claiming the user\u2019s SDK is outdated and needs an update. <\/p>\n<p>This is a ClickFix-style clipboard injection attack. The victim sees what look like harmless diagnostic commands and is told to copy and paste them into the Windows Run dialog or terminal. <\/p>\n<p>What they do not realize is that the page silently replaces the clipboard content with a hidden PowerShell execution command the moment they copy it.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d3fcd8a5-5874-4ef8-a392-57963dbc19e5\/New-BlueNoroff-Campaign-Uses-Fileless-PowerShell-and-AI-Generated-Zoom-Lures.pdf?AWSAccessKeyId=ASIA2F3EMEYESWMD54G5&amp;Signature=%2Fd%2Fn%2B0%2FCetg%2BzLHiT2KeOROiRyY%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJGMEQCIEM%2FzIooGhDkuY4fWZf3D%2B5bt5UCBVHMljTncz8loi8NAiAVecQY%2F%2BF0%2F6GdOcM5%2Bw1lsDN37W7fmdXriGJhScS58Sr8BAjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfb%2BBt%2BeR%2B0deg%2FnIKtAEAKZ4vyaapknOZ3F66G22m17uGpctjCx6FdsOPUj5C3hNaElnloW3iSzqM6Ya%2BG5KfeXv3qLEOOlVIQhsxwbbjV1HZtu07yxJMvVD6V4ksHxUyI01pVpQPIqqPxScMsOg0ePagHKYYMrP43wDjsKhJwDM%2FmEyON0S0FhQwgIcifRVR6c71ms0qjst5SJw7b%2FTWn54ddvgLP7q2XXRY7kru7vJGcySDWQMUrLCSgLm4dceyLhpiglR6%2B3Jq72eBh0j4Xv%2FMGR72utQ1Q6Fmszf5M4c%2Bs7EqDceA8nQQqj8UTLGXqyfIoO9TAec7kQfdExaVIKl%2BvJEPqrLAOx7GoGrkYR9jVbGVLOmRSMBq7I5bJc8Hd0FVDyjOH40aTSo%2BDbm8nH1LMaLRUUB8P3MHHZGZnHztT3hYNbTwTFnCxDC8PvKZ9Cr9beDv8r%2BWHDt%2FVSPsbe14YobjsnuslKJP1aYBWjNdlWxjsHpuaKP5ifCo%2BcqvO84710iUs5KKUVjcJjYSpdKLR6%2Bkh92DxW6TR2OSli8bo9%2FZ6l6g8ZLRY%2BxNVIbzgTJ4C5iOngIwQxhLDZjJAmdhtHldXdWeyZusq1Cu%2F7rHJA9O%2F9UrWE2kTzLNGQHMsA7E6EAtBVREqPeDDI9NY4FYJSIDkkIVcw54IzmmjqiGRQ1z1YKicTqXp5omH38Z0c%2BBMM7%2FN37RJ3kDKj3yZW4kvtR2cM4G4yCXYtKmAh0%2FqChlCxvQXlSPdegrWpH1Nq3p9L55a5BX5H3G75RyE7TAuuEOt5wFxQXXfCLBzDoxcbPBjqZAYUuAfD0hw2Y%2BfJH7j9GUv81uycGdCH811xOOEKFT6HuW%2Bdn8Xi%2Buy9fnNpOoDfpFmixLk6gBb%2BMl2mxGVQr5tS8Vha9TrpbwaqBOazR%2Fd0gkf9%2FnM%2BzhMZry9jY9O%2FBxIKgGpEWdXvuHyhCLljqgsNpZi60nTLfU8dubcJe6wjOHOzHGufWJi9svgSpNLLck%2B%2BnmQ9SD17gZg%3D%3D&amp;Expires=1777445187\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiW2BVR255Z5vlk1HUaKivm5niLaAPzqScWsKr2I2JiCUX1fqbPKDdEafHeuIHvpirRvX0aDTOwKMfJN8MyEAyd-KlAl27GS_uxbv8RR5i384Y4bAwp2ho8MG3tPNCj2Uc3SRG0uzIQWcGwnfxgs4Y0iKfRtB5mbke7Q4KALQJZQke34Pfq9JDzFZZR674\/s16000\/Zoom-branded%2520fake%2520meeting%2520interface%2520with%2520%27SDK%2520deprecated%27%2520overlay%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\" alt=\"Zoom-branded fake meeting interface with 'SDK deprecated' overlay (Source - Arctic Wolf)\"><figcaption class=\"wp-element-caption\">Zoom-branded fake meeting interface with \u2018SDK deprecated\u2019 overlay (Source \u2013 Arctic Wolf)<\/figcaption><\/figure>\n<\/div>\n<p>The injected PowerShell command downloads an obfuscated second-stage script from the attacker\u2019s command-and-control server and saves it to the user\u2019s Temp folder as a file named chromechip.log. <\/p>\n<p>That file runs in a hidden window, installing a persistent C2 beacon that operates entirely in memory and contacts the attacker every five seconds. <\/p>\n<p>The implant collects hostname, OS version, running processes, admin privileges, and timezone data, packaging everything into a structured <a href=\"https:\/\/cybersecuritynews.com\/python-json-logger-vulnerability\/\" id=\"98590\" target=\"_blank\" rel=\"noreferrer noopener\">JSON beacon<\/a> sent to a remote server.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d3fcd8a5-5874-4ef8-a392-57963dbc19e5\/New-BlueNoroff-Campaign-Uses-Fileless-PowerShell-and-AI-Generated-Zoom-Lures.pdf?AWSAccessKeyId=ASIA2F3EMEYESWMD54G5&amp;Signature=%2Fd%2Fn%2B0%2FCetg%2BzLHiT2KeOROiRyY%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJGMEQCIEM%2FzIooGhDkuY4fWZf3D%2B5bt5UCBVHMljTncz8loi8NAiAVecQY%2F%2BF0%2F6GdOcM5%2Bw1lsDN37W7fmdXriGJhScS58Sr8BAjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfb%2BBt%2BeR%2B0deg%2FnIKtAEAKZ4vyaapknOZ3F66G22m17uGpctjCx6FdsOPUj5C3hNaElnloW3iSzqM6Ya%2BG5KfeXv3qLEOOlVIQhsxwbbjV1HZtu07yxJMvVD6V4ksHxUyI01pVpQPIqqPxScMsOg0ePagHKYYMrP43wDjsKhJwDM%2FmEyON0S0FhQwgIcifRVR6c71ms0qjst5SJw7b%2FTWn54ddvgLP7q2XXRY7kru7vJGcySDWQMUrLCSgLm4dceyLhpiglR6%2B3Jq72eBh0j4Xv%2FMGR72utQ1Q6Fmszf5M4c%2Bs7EqDceA8nQQqj8UTLGXqyfIoO9TAec7kQfdExaVIKl%2BvJEPqrLAOx7GoGrkYR9jVbGVLOmRSMBq7I5bJc8Hd0FVDyjOH40aTSo%2BDbm8nH1LMaLRUUB8P3MHHZGZnHztT3hYNbTwTFnCxDC8PvKZ9Cr9beDv8r%2BWHDt%2FVSPsbe14YobjsnuslKJP1aYBWjNdlWxjsHpuaKP5ifCo%2BcqvO84710iUs5KKUVjcJjYSpdKLR6%2Bkh92DxW6TR2OSli8bo9%2FZ6l6g8ZLRY%2BxNVIbzgTJ4C5iOngIwQxhLDZjJAmdhtHldXdWeyZusq1Cu%2F7rHJA9O%2F9UrWE2kTzLNGQHMsA7E6EAtBVREqPeDDI9NY4FYJSIDkkIVcw54IzmmjqiGRQ1z1YKicTqXp5omH38Z0c%2BBMM7%2FN37RJ3kDKj3yZW4kvtR2cM4G4yCXYtKmAh0%2FqChlCxvQXlSPdegrWpH1Nq3p9L55a5BX5H3G75RyE7TAuuEOt5wFxQXXfCLBzDoxcbPBjqZAYUuAfD0hw2Y%2BfJH7j9GUv81uycGdCH811xOOEKFT6HuW%2Bdn8Xi%2Buy9fnNpOoDfpFmixLk6gBb%2BMl2mxGVQr5tS8Vha9TrpbwaqBOazR%2Fd0gkf9%2FnM%2BzhMZry9jY9O%2FBxIKgGpEWdXvuHyhCLljqgsNpZi60nTLfU8dubcJe6wjOHOzHGufWJi9svgSpNLLck%2B%2BnmQ9SD17gZg%3D%3D&amp;Expires=1777445187\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0-gOx72iMQCl25dKh6Be-fUQjULW4q0voERVW_ahXfbyv-fIT6colQ8K3-tv59HaSsutflGmoGXsoV9w3XqNtle8TguHHfeavSKor9qmkcmAspcW9YWAcxTEqs-JXw5kjFn2iW7HIcuG3yFpwV4cPhUJy9qcVjw4p7kkL82cSX1o2GMlX4C46K7qHs_w\/s16000\/Decoded%2520PowerShell%2520C2%2520implant%2520showing%2520system%2520profiling%2520routine%2520and%2520JSON%2520beacon%2520structure%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\" alt=\"Decoded PowerShell C2 implant showing system profiling routine and JSON beacon structure (Source - Arctic Wolf)\"><figcaption class=\"wp-element-caption\">Decoded PowerShell C2 implant showing system profiling routine and JSON beacon structure (Source \u2013 Arctic Wolf)<\/figcaption><\/figure>\n<\/div>\n<p>Organizations in Web3, cryptocurrency, and financial services should verify all meeting links through a secondary communication method before joining any call. <\/p>\n<p>Legitimate platforms never ask users to run terminal commands to fix audio or camera issues. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/security-teams-shrink-as-automation-rises\/\" id=\"100650\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams<\/a> should block identified C2 addresses, remove the Startup shortcut called Chrome Update Certificated.lnk, and delete chromechip.log and chrome-debug-data001.log from affected devices. <\/p>\n<p>All browser-stored passwords, API keys, and cryptocurrency wallet credentials must be rotated immediately. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/hackers-use-pastebin-hosted-powershell-script\/\" id=\"148307\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell Script<\/a> Block Logging should be enabled on all endpoints to support early detection of obfuscated payload execution.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d3fcd8a5-5874-4ef8-a392-57963dbc19e5\/New-BlueNoroff-Campaign-Uses-Fileless-PowerShell-and-AI-Generated-Zoom-Lures.pdf?AWSAccessKeyId=ASIA2F3EMEYESWMD54G5&amp;Signature=%2Fd%2Fn%2B0%2FCetg%2BzLHiT2KeOROiRyY%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJGMEQCIEM%2FzIooGhDkuY4fWZf3D%2B5bt5UCBVHMljTncz8loi8NAiAVecQY%2F%2BF0%2F6GdOcM5%2Bw1lsDN37W7fmdXriGJhScS58Sr8BAjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfb%2BBt%2BeR%2B0deg%2FnIKtAEAKZ4vyaapknOZ3F66G22m17uGpctjCx6FdsOPUj5C3hNaElnloW3iSzqM6Ya%2BG5KfeXv3qLEOOlVIQhsxwbbjV1HZtu07yxJMvVD6V4ksHxUyI01pVpQPIqqPxScMsOg0ePagHKYYMrP43wDjsKhJwDM%2FmEyON0S0FhQwgIcifRVR6c71ms0qjst5SJw7b%2FTWn54ddvgLP7q2XXRY7kru7vJGcySDWQMUrLCSgLm4dceyLhpiglR6%2B3Jq72eBh0j4Xv%2FMGR72utQ1Q6Fmszf5M4c%2Bs7EqDceA8nQQqj8UTLGXqyfIoO9TAec7kQfdExaVIKl%2BvJEPqrLAOx7GoGrkYR9jVbGVLOmRSMBq7I5bJc8Hd0FVDyjOH40aTSo%2BDbm8nH1LMaLRUUB8P3MHHZGZnHztT3hYNbTwTFnCxDC8PvKZ9Cr9beDv8r%2BWHDt%2FVSPsbe14YobjsnuslKJP1aYBWjNdlWxjsHpuaKP5ifCo%2BcqvO84710iUs5KKUVjcJjYSpdKLR6%2Bkh92DxW6TR2OSli8bo9%2FZ6l6g8ZLRY%2BxNVIbzgTJ4C5iOngIwQxhLDZjJAmdhtHldXdWeyZusq1Cu%2F7rHJA9O%2F9UrWE2kTzLNGQHMsA7E6EAtBVREqPeDDI9NY4FYJSIDkkIVcw54IzmmjqiGRQ1z1YKicTqXp5omH38Z0c%2BBMM7%2FN37RJ3kDKj3yZW4kvtR2cM4G4yCXYtKmAh0%2FqChlCxvQXlSPdegrWpH1Nq3p9L55a5BX5H3G75RyE7TAuuEOt5wFxQXXfCLBzDoxcbPBjqZAYUuAfD0hw2Y%2BfJH7j9GUv81uycGdCH811xOOEKFT6HuW%2Bdn8Xi%2Buy9fnNpOoDfpFmixLk6gBb%2BMl2mxGVQr5tS8Vha9TrpbwaqBOazR%2Fd0gkf9%2FnM%2BzhMZry9jY9O%2FBxIKgGpEWdXvuHyhCLljqgsNpZi60nTLfU8dubcJe6wjOHOzHGufWJi9svgSpNLLck%2B%2BnmQ9SD17gZg%3D%3D&amp;Expires=1777445187\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/new-bluenoroff-campaign-uses-fileless-powershell\/\">New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/new-bluenoroff-campaign-uses-fileless-powershell\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures A dangerous new cyber campaign from North Korea\u2019s Lazarus Group is targeting cryptocurrency and Web3 professionals using fake Zoom meeting interfaces, fileless PowerShell scripts, and AI-generated deepfake content. The group behind this activity is BlueNoroff, a financially motivated subgroup known for stealing digital assets. This [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12472","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12472"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12472"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12472\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}