RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: bluenoroff (2 articles)Clear
threat
2026-04-28

North Korean hackers are recording fake Zoom meetings with real crypto executives, then using the footage and AI-generated lookalikes to scam the next target

North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.

bluenorofflazarusapt38dprkdeepfakefake-zoomclickfixcryptocurrencyarctic-wolfcalendlysocial-engineering
Check
Brief every executive in your organization that any 'Zoom SDK update' prompt asking them to copy and paste commands into their terminal during a meeting is a North Korean malware drop.
Affected
Cryptocurrency executives, Web3 founders, and CEOs at fintech and blockchain companies - 45% of identified targets are CEOs and founders, 80% are in crypto or adjacent sectors. Anyone whose webcam footage was exfiltrated by BlueNoroff is now appearing as a fake meeting participant targeting their professional network.
Fix
Train executives that any 'SDK update' prompt during a meeting is hostile - real Zoom and Teams never ask users to paste commands into terminals. Verify out-of-band before joining any meeting from an unsolicited Calendly link. Block known BlueNoroff infrastructure (Petrosky Cloud LLC AS400897 and the 80 typosquat domains in Arctic Wolf's IoCs). Consider a dedicated meeting device for high-risk executives.
threat
2026-04-04

Axios npm attack attributed to North Korean hackers UNC1069 - part of broader campaign targeting open-source maintainers

The Axios supply chain attack we covered on March 31 has now been attributed to UNC1069, a North Korean threat group linked to BlueNoroff that specializes in financially motivated attacks against crypto exchanges and financial institutions. Google's Mandiant confirmed the attackers social-engineered the lead maintainer through a fake video call, deploying a RAT via the compromised npm account. Socket warns this wasn't a one-off - the same actors have compromised accounts spanning some of the most widely depended-upon packages in the npm registry.

axiosnpmnorth-koreaunc1069bluenoroffsupply-chainsocial-engineering
Check
Re-check your environments for axios 1.14.1 or 0.30.4. If you found and removed them previously, verify credential rotation was completed.
Affected
axios 1.14.1 and 0.30.4 on npm. Socket warns additional high-trust npm packages may be compromised by the same actor - monitor for advisories.
Fix
Pin to axios 1.14.0 or 0.30.3. Rotate all credentials on any system that ran the poisoned versions. Block sfrclak[.]com and 142.11.206.73 on port 8000. Enforce OIDC-backed provenance verification for critical npm dependencies.