NORTH Korea’s BlueNoroff state-sponsored group is running a financially motivated campaign that targets cryptocurrency executives by using stolen victim videos, AI-generated avatars, and fake Zoom meetings to induce malware infections, according to Arctic Wolf. The operation begins with pretexts such as Calendly invites or calendar workflows impersonating trusted contacts, with a meeting created for January 2026 and later replaced by a typosquatted Zoom URL in the victim’s browser.
Arctic Wolf’s investigation found that click-through to the fake meeting prompted a Zoom SDK update prompt, after which multiple payloads were installed, enabling persistence, credential harvesting, wallet- and Telegram-related theft, and other post-exploitation activity, all in under five minutes; in one case BlueNoroff maintained persistence for 66 days.
Investigators identified that more than 100 stolen images and videos—nearly half of which were of CEOs or co-founders—were used as bait to recruit new victims, with eight in ten victims working in cryptocurrency or related finance sectors. The report notes BlueNoroff operates a self-reinforcing pipeline using exfiltrated footage and AI-generated content to produce convincing new meeting lures.