BlueNoroff Deepfake Zoom Attack: 100 Crypto Executives Compromised in 5 Minutes

2026-04-30 Decryption Digest

https://www.decryptiondigest.com/blog/bluenoroff-deepfake-zoom-crypto-clickfix

Thumbnail for BlueNoroff Deepfake Zoom Attack: 100 Crypto Executives Compromised in 5 Minutes

BlueNoroff is using fake Zoom meetings, deepfake participant media, and ClickFix clipboard injection to target cryptocurrency and Web3 executives. The attack starts with Calendly-based social engineering and typo-squatted meeting domains, then tricks victims into running an obfuscated PowerShell payload that establishes C2, persistence, credential theft, Telegram session theft, screenshot capture, and UAC bypass. The campaign reportedly reuses stolen webcam footage and AI-generated media to make future lures more convincing, with more than 100 victim identities and over 950 media files recovered from attacker infrastructure. Confirmed targeting is heavily concentrated on crypto founders, executives, and financially adjacent leadership roles.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN check02id.com 2026-04-16 2026-05-28
IPv4 83.136.209.22 2026-04-16 2026-05-28
IPv4 83.136.208.246 2026-04-16 2026-05-28
IPv4 104.145.210.107 2026-04-16 2026-05-28
DOMAIN zoom.ue01web.us 2026-04-30 2026-04-30
HASH 17158cd6490a2b3c672d087f3d69107… 2026-04-27 2026-04-30
HASH db446f0e1d18b43805bfefe1af934ae… 2026-04-27 2026-04-30
HASH dd1c72823f933952619cbb86aaeaea4… 2026-04-27 2026-04-30
DOMAIN ms-live.com 2026-04-27 2026-04-30
DOMAIN thriddata.com 2026-04-27 2026-04-30
DOMAIN teams-live.org 2026-04-27 2026-04-30
DOMAIN uu03webzoom.us 2026-04-27 2026-04-30

Related Actors

Related Reports

« Back