Pulse Detail — Threat Intelligence

PULSE NAME

IOC - BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector

WHITE celestre 2026-04-30 Modified: 2026-05-30

IOCs

MEDIUM VOLUME

Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK’s Lazarus Group.

Indicators of Compromise (46)

All FileHash-SHA256 domain hostname URL

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	17158cd6490a2b3c672d087f3d69107643d6a6f7c67345461b10ae18f27e28d1	—	2026-04-30
FileHash-SHA256	6030338469819129924c6e01e110145a128ca3d944cd4b696abc7925a1840001	—	2026-04-30
FileHash-SHA256	a37cb38b178833f15bf13fd5fa622b694c2244230ac0be33e75680c71dc08a08	—	2026-04-30
FileHash-SHA256	db446f0e1d18b43805bfefe1af934ae4b0879e376904635cc7e14eae2d7fc682	—	2026-04-30
FileHash-SHA256	dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1	—	2026-04-30
FileHash-SHA256	edd0301ffb793169b1314c59c0ef3a98d5793c0441dd43a7c484d61deb4f107f	—	2026-04-30
domain	check02id.com	—	2026-04-30
domain	gmeet.cam	—	2026-04-30
domain	ms-live.com	—	2026-04-30
domain	recaptcha.work	—	2026-04-30
domain	smart-meeting.online	—	2026-04-30
domain	teams-live.org	—	2026-04-30
domain	teams-live.us	—	2026-04-30
domain	thriddata.com	—	2026-04-30
domain	uu01webzoom.us	—	2026-04-30
domain	uu03webzoom.us	—	2026-04-30
domain	web01zoom.com	—	2026-04-30
hostname	bitlayer.teams-meet.us	—	2026-04-30
hostname	nubit.teams-live.org	—	2026-04-30
hostname	pd.uc05web.us	—	2026-04-30
hostname	support.teams-live.org	—	2026-04-30
hostname	teams.livesmeet.us	—	2026-04-30
hostname	teams.livesmeets.us	—	2026-04-30
hostname	uxlink.mslive.us	—	2026-04-30
hostname	zoom.ue01web.us	—	2026-04-30
hostname	zoom.un01web.us	—	2026-04-30
FileHash-SHA256	0fdac2d4f5fe127eec1754ceebfb67131a03e0271d5e128db2084665cac88533	—	2026-04-30
FileHash-SHA256	29fb6b49e33d8b6dc967a0b11d1225ec5a9f30faf6bde341bf3545298656fe6b	—	2026-04-30
FileHash-SHA256	2acf6335315f7ba1270d7cfaaa7e420794ce0f7c8f5c1ba41be5075ced19e537	—	2026-04-30
FileHash-SHA256	345b3497d5c7945c9c2e47663926f0dcdd931be3df12c4f7d10d6356a3b5bc7c	—	2026-04-30
FileHash-SHA256	4aa85fabfe717b3c31e0b24afb4a07008305e0a9faedf295d4e74a49e0ec3b40	—	2026-04-30
FileHash-SHA256	841444082ae59707aeb47b597282e17d5d9af37c00f146745d88baac308dc8e3	—	2026-04-30
FileHash-SHA256	8a7273889c3fedf81ffe2dcfc1a321771620d71cd0d98125a0a237842d79f35e	—	2026-04-30
FileHash-SHA256	96ab701c444d9922802fe20adfc81f3476e014f8c4ba0b951714127ecac58edf	—	2026-04-30
FileHash-SHA256	bc94f02c97af6761f9dc21d39ea4564a209f087c3441a33872e68742f468a9c5	—	2026-04-30
FileHash-SHA256	d498013b6f27debf027352a5c8b481ade180541443c027afdc1c3634ca7f2a1f	—	2026-04-30
FileHash-SHA256	e598eb0078a3c6d887135518eda1424e59f2b6cbf5a902ffe1063c34e03e3ed8	—	2026-04-30
FileHash-SHA256	ee4807a19e432cf370f860f7b4deb84b04349143f921ac62fb0f6ef9eb3e6123	—	2026-04-30
FileHash-SHA256	f391954378707e8b471c785ee792efacf97e7be80d4200966cbb176d531f0721	—	2026-04-30
URL	http://104.145.210.107:8444	—	2026-04-30
URL	http://83.136.208.246:6783	—	2026-04-30
URL	http://83.136.209.22:8444	—	2026-04-30
URL	http://check02id.com:7365	—	2026-04-30
URL	http://uu03webzoom.us/j/8969791763?pwd=CIPWZTUQimQLKNXytEUQpwCscOBCPf.1	—	2026-04-30
URL	https://83.136.209.22:8444/download?id=8766ceb975cadedca38aad72091017cdb5d3e4c8f8af0441	—	2026-04-30
URL	https://83.136.209.22:8444/download?id=b1a87ab536188b10f02b3d84d03c0a45ed38f948a338d8f4	—	2026-04-30

References (1)

↗ https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/