← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector
WHITE Lazarus PetrP.73 2026-04-30 Modified: 2026-05-30
42
IOCs
MEDIUM VOLUME
BlueNoroff, a financially motivated subgroup of North Korea's Lazarus Group, recently executed a series of sophisticated cyberattacks targeting the Web3/cryptocurrency sector. These attacks utilized innovative techniques including fileless PowerShell methods and social engineering tactics such as impersonating respected individuals in the fintech space to deliver manipulated invites for fake Zoom meetings.
bluenoroffzoomarctic wolftempteamstelegramjanuarykasperskyweb3ai generationwolfclickscreencapturefebruaryscreenmediapowershellfridaytheftpathjunecageychameleoncryptofacekingbeyondcopypayloadstagesdownloadimplantarchtargetpersistencecaptureverifyvirustotalarcticinsidelazaruswindows clickfixaes-256-cbchttphuntressjson
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (42)
All CVE FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2026-2699 2026-04-30
CVE CVE-2026-2701 2026-04-30
CVE CVE-2026-35616 2026-04-30
FileHash-SHA256 17158cd6490a2b3c672d087f3d69107643d6a6f7c67345461b10ae18f27e28d1 2026-04-30
FileHash-SHA256 6030338469819129924c6e01e110145a128ca3d944cd4b696abc7925a1840001 2026-04-30
FileHash-SHA256 a37cb38b178833f15bf13fd5fa622b694c2244230ac0be33e75680c71dc08a08 2026-04-30
FileHash-SHA256 db446f0e1d18b43805bfefe1af934ae4b0879e376904635cc7e14eae2d7fc682 2026-04-30
FileHash-SHA256 dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1 2026-04-30
FileHash-SHA256 edd0301ffb793169b1314c59c0ef3a98d5793c0441dd43a7c484d61deb4f107f 2026-04-30
URL http://83.136.208.246:6783 2026-04-30
URL http://check02id.com:7365/hello 2026-04-30
URL http://thriddata.com/upload 2026-04-30
URL https://104.145.210.107:8444/upload 2026-04-30
URL https://83.136.209.22:8444/download?id=8766ceb975cadedca38aad72091017cdb5d3e4c8f8af0441 2026-04-30
URL https://83.136.209.22:8444/upload 2026-04-30
URL https://uu03webzoom.us/developer/sdk/fix/2/version/Ivo55HpFm 2026-04-30
URL https://uu03webzoom.us/developer/sdk/update/version/[REDACTED] 2026-04-30
URL https://uu03webzoom.us/j/8969791763?pwd=... 2026-04-30
URL https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus 2026-04-30
domain check02id.com 2026-04-30
domain gmeet.cam 2026-04-30
domain ms-live.com 2026-04-30
domain ms-live.us 2026-04-30
domain recaptcha.work 2026-04-30
domain smart-meeting.online 2026-04-30
domain teams-live.org 2026-04-30
domain teams-live.us 2026-04-30
domain thriddata.com 2026-04-30
domain uu01webzoom.us 2026-04-30
domain uu03webzoom.us 2026-04-30
domain web01zoom.com 2026-04-30
hostname bitlayer.teams-meet.us 2026-04-30
hostname nubit.teams-live.org 2026-04-30
hostname pd.uc05web.us 2026-04-30
hostname support.teams-live.org 2026-04-30
hostname teams.livesmeet.us 2026-04-30
hostname teams.livesmeets.us 2026-04-30
hostname uxlink.mslive.us 2026-04-30
hostname www.curio.com 2026-04-30
hostname www.picussecurity.com 2026-04-30
hostname zoom.ue01web.us 2026-04-30
hostname zoom.un01web.us 2026-04-30
References (1)
↗ https://arcticwolf.com/resources/blog-uk/bluenoroff-uses-clickfix-fileless-powershell-ai-generated-fake-zoom-meetings-to-target-web3-sector/