lazarusholic

Everyday is lazarus.dayβ

Zooming through BlueNoroff Indicators with Validin

2025-06-20, Validin
https://www.validin.com/blog/zooming_through_bluenoroff_pivots/
#BlueNoroff #macOS

Contents

Pivoting through recently-reported indicators to find BlueNoroff-associated domains
In a recent blog post (Inside the BlueNoroff Web3 macOS Intrusion Analysis), the Huntress research team detailed a targeted intrusion against a Web3 (cryptocurrency) organization that they attributed with high confidence to BlueNoroff. BlueNoroff, also known as APT38, is a financially motivated subgroup of North Koreaâs Lazarus Group. This report highlights all stages of the attack chain including phishing lures, backdoors, and post-exploitation persistence intended to stealthily compromise victims in the Web3 space.
Investigating The Lure Domain
Weâll investigate the domain support[.]us05web-zoom[.]biz
, which hosted a malicious âZoom extensionâ sent to the victim over Telegram after joining a staged Zoom meeting. Weâll start by looking at that domainâs DNS history in Validin.
Notably, Validin shows that this domain resolved to 8.8.8.8
 for most of our history except for a couple of days in late May (May 25 and 26). This is interesting because 8.8.8.8
 is a very …

IoC

http://www.us06web-zoom.xyz
http://web041zoom.us
http://biz-zoom.us
http://techevent.us
http://em-oujuit78ytserve.com
http://online-meets.site
http://online-meets.cloud
http://daiwa-v.com
http://www.us05web-zoom.cloud
http://test.ag-zoom.com
http://dunamuventures.com
http://www.video-conference.site
http://hostmaster.www.drop-box.store
http://webmeetapi.us
http://venture-meeting.online
http://support.us05web-zoom.forum
http://globiscapitals.com
http://team-meets.online
http://webus07.us
http://104.168.143.111
http://online-meets.store
http://5.230.44.79
http://web06zoom.us
http://doc-send.com
http://uk03web.us
http://zoomsdk.us
http://cn-zoom.us
http://ukweb06.us
http://webus09.us
http://capitalviabtc.com
http://online-meets.pro
http://api.us02web-zoom.com
http://zoom-tech.us
http://45.42.40.200
http://us07web-zoom.cc
http://www.meet-client.xyz
http://bizmeeting.video
http://usweb005.us
http://video-conference.xyz
http://www.us05web-zoom.click
http://www.online-conference.online
http://www.video-conference.store
http://online-conference.pro
http://webus08.us
http://web011zoom.us
http://boolnetwork.xyz
http://www.us05web-zoom.forum
http://re7.network
http://38.146.28.252
http://hostmaster.online-conference.site
http://www.team-meets.cloud
http://us05web-zoom.site
http://meeting-hub.team
http://officezoom.us
http://support.us05web-zoom.click
http://videotalks.xyz
http://support.us06web-zoom.cc
http://shared.drop-box.cloud
http://us05web-zoom.cloud
http://playgroundvc.capital
http://meet-client.online
http://us05web-zoom.pro
http://business-zoom.us
http://www.us05web-zoom.xyz
http://onlinemeet.video
http://cr-zoom.us
http://45.42.40.208
http://fronterixbusiness.com
http://bizmeet.org
http://video-conference.cloud
http://www.online-conference.site
http://bizmeeting.org
http://zm-meeting.com
http://meetuphub.online
http://ukweb07.us
http://us02web-zoom.com
http://interzoom.us
http://xn--rxamia.com
http://businessmeet.xyz
http://www.room-meeting.online
http://twosigmaventures.us
http://picwe-team.com
http://support-gmeet.com
http://www.secure-meeting.xyz
http://and23.254.247.32
http://room-meeting.xyz
http://usweb08.us
http://support-google.ws
http://7xvc.meetup-room.online
http://openfort.video
http://www.us05web-zoom.uk
http://www.meeting-zone.team
http://23.254.247.53
http://5.230.54.23
http://bizmeet.online
http://dev.drop-box.store
http://video-conference.store
http://vipocapital.com
http://er-zoom.us
http://web001zoom.us
http://zoom-client.xyz
http://us05web-zoom.xyz
http://www.video-meeting.store
http://zoom-sdk.us
http://api-zoom.com
http://www.us05web-zoom.store
http://bizwebmeet.com
http://mythicaigames.foundation
http://jp-zoom.com
http://us05web-zoom.info
http://pre-zoom.us
http://us03www-zoom.us
http://republicrypto.vc
http://online-conference.store
http://playgroundventures.capital
http://app-center.download
http://216.107.137.53
http://saisoncapital.net
http://webmeet.vip
http://hanagroup.live
http://zmwebsdk.com
http://as-zoom.us
http://23.254.204.184
http://www.us05web-zoom.pro
http://webmeetoffice.us
http://usweb09.us
http://laserdigital.xyz
http://us03web-zoom.cc
http://businesstalks.site
http://hartmanmcapital.com
http://twosigmacap.com
http://www.us07web-zoom.cc
http://synternetlab.com
http://webus05.us
http://backend.drop-box.store
http://www.online-conference.xyz
http://extrazoom.us
http://support.us05web-zoom.space
http://www.us05web-zoom.space
http://us06web-zoom.cc
http://globiscapital.co
http://twosigma-vc.com
http://addresses23.254.244.248
http://us05web-zoom.forum
http://hanagroup.video
http://openfort-team.xyz
http://www.team-meets.online
http://team-meets.cloud
http://sg05web.us
http://web031zoom.us
http://5.230.251.49
http://ukweb08.us
http://usweb01.us
http://www.video-conference.pro
http://baiduweb.pro
http://www.video-conference.cloud
http://us05-zoom.uk
http://www.meetup-room.online
http://in-zoom.us
http://usweb02.us
http://zoomhub.us
http://support.us05web-zoom.ink
http://web02zoom.us
http://webmeet.icu
http://team-meets.site
http://support.us05web-zoom.biz
http://video-conference.pro
http://hk05web.us
http://rwa-team.video
http://www.online-conference.pro
http://www.us06web-zoom.cc
http://api.drop-box.store
http://23.254.247.32
http://mzweb3.fund
http://www.us05web-zoom.ink
http://23.254.244.248
http://meeting-zone.team
http://uk06web.us
http://aleslosev.workers.dev
http://us-playground.vc
http://www.online-meets.cloud
http://newfromjune.site
http://app.republicrypto.vc
http://team-meet.xyz
http://team-meets.store
http://us05web-zoom.click
http://app.drop-box.store
http://onlinemeet.pro
http://www.team-meets.site
http://str8fire-team.network
http://us05web-zoom.biz
http://online-conference.xyz
http://meet-client.xyz
http://su05web.us
http://ae-zoom.us
http://web071zoom.us
http://video-meeting.store
http://ukweb05.us
http://nexologin.xyz
http://us05www-zoom.us
http://datatabletemplate.shop
http://www.videotalks.xyz
http://www.us05web-zoom.info
http://online-meets.online
http://www.us05web-zoom.site
http://newfromjune.shop
http://web3fund.us
http://support-zoom.us
http://us004web.us
http://bu-zoom.us
http://innerteams.us
http://bizmeeting.online
http://23.254.164.232
http://www.team-meets.store
http://support.online-meets.store
http://team-meets.xyz
http://5.230.252.157
http://us05biz-zoom.us
http://www.drop-box.store
http://mythicalgames.foundation
http://www.us02web-zoom.com
http://www.us03web-zoom.com
http://deliverypost.cloud
http://zoom-support.com
http://meetup-room.online
http://5.230.78.47
http://www.drop-box.cloud
http://us03web-zoom.com
http://mediazoom.us
http://web01zoom.com
http://em-oujuit78ytserve.net
http://drop-box.store
http://video-conference.site
http://webzoom.video
http://web091zoom.us
http://mediaprime.team
http://online-conference.site
http://bizmeet.pro
http://web-meet.online
http://www.businesstalks.site
http://conference-go.online
http://147.79.103.251
http://zoom-sdk.com
http://secure-meeting.cloud
http://webus02.us
http://www.demo.drop-box.store
http://rxamia.com
http://us02www-zoom.us
http://usweb-zoom.us
http://sitemaps.drop-box.store
http://online-conference.online
http://web3fund.io
http://us05web-zoom.ink
http://support-google.co.in
http://calystiabusiness.com
http://us05web-zoom.space
http://webmeet.video
http://38.110.228.112
http://www.team-meets.xyz
http://web001-zoom.us
http://www.datatabletemplate.shop
http://secure-meeting.xyz
http://doc-bridge.com
http://us06web-zoom.xyz
http://us05web-zoom.uk
http://sidezoom.us
http://www.venture-meeting.online
http://downloadcenter.website
http://www.online-conference.store
http://www.meetuphub.online
http://room-meeting.online
http://superstatefund.co
http://admin.drop-box.store
http://us001web.us
http://uk07web.us
http://support-google.us
http://www.newfromjune.site
http://us05web-zoom.store
http://www.meeting-hub.team
http://www.online-meets.store
http://hosting.us02web-zoom.com
http://demo.drop-box.store
http://communicationhub.vip
http://www.us05web-zoom.biz
http://email.drop-box.store
http://en-zoom.us
http://www.secure-meeting.cloud
http://drop-box.cloud
http://support-google.co.im
http://communicationhub.us
http://support.us02web-zoom.com
http://www.video-conference.xyz
147.79.103.251
38.146.28.252
5.230.251.49
5.230.44.79
5.230.252.157
5.230.54.23
23.254.204.184
5.230.78.47
216.107.137.53
104.168.143.111
8.8.8.8
23.254.247.53
23.254.164.232
45.42.40.208
38.110.228.112
23.254.247.32
45.42.40.200
23.254.244.248
083ca76e08cca8d8ebd337b836c9c8fb
a945fc4a05f84c84ecb4ec7c24458e64
23c501daff7991f82a93d94a4f14bd68fb5f61d9
38eaff53184ebca9046c2f10161c664ceb10d0c1