← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
StardustChollima/BlueNoroff stole TG accounts and launched ZoomClickFIX phishing attacks.
StardustChollima, also known as BlueNoroff, has recently been involved in stealing Telegram (TG) accounts to facilitate phishing attacks using a technique dubbed “ZoomClickFIX.” This tactic involves creating a deceptive Zoom meeting link that appears to be legitimate. In the attack, the normal Zoom URL presented to users is hxxps://reforge.zoom.us/j/2721598407?pwd=hblaw88iAFZz37obAHYBTNmHuikirt. However, once the link is clicked, users are redirected to a disguised address that modifies the original URL to hxxps://reforge.web05zoom.us/j/2721598407?pwd=hblaw88iAFZz37obAHYBTNmHuikirt.
MITRE ATT&CK & Malware Families
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| URL | http://web21zoom.us/audio/fix/2721598407 | — | 2025-08-24 | |
| URL | https://reforge.web05zoom.us/j/2721598407?pwd=hblaw88iAFZz37obAHYBTNmHuikirt.1 | — | 2025-08-24 | |
| domain | reforge.vc | — | 2025-08-24 | |
| domain | usweb05zoom.com | — | 2025-08-24 | |
| domain | usweb09zoom.live | — | 2025-08-24 | |
| domain | web011zoom.us | — | 2025-08-24 | |
| domain | web01zoom.com | — | 2025-08-24 | |
| domain | web04zoom.us | — | 2025-08-24 | |
| domain | web05zoom.us | — | 2025-08-24 | |
| domain | web071zoom.us | — | 2025-08-24 | |
| domain | web08zoom.us | — | 2025-08-24 | |
| domain | web0zoom.com | — | 2025-08-24 | |
| domain | web21zoom.us | — | 2025-08-24 | |
| domain | web3zoom.com | — | 2025-08-24 | |
| domain | web4zoom.com | — | 2025-08-24 | |
| hostname | reforge.web05zoom.us | — | 2025-08-24 | |
| hostname | reforge.zoom.us | — | 2025-08-24 |
References (1)