BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures
The North Korean group is using stolen victim videos, AI-generated avatars, and fake Zoom calls to scale malware attacks against cryptocurrency executives.
Coverage of reported Lazarus-linked intrusions, infrastructure, disruption efforts, and defensive guidance that helps explain cybersecurity risks.
Search across headline titles and summaries.
Background for this topic.
Lazarus is a name used by security researchers and public authorities for a suspected, loosely defined intrusion set associated with multiple malware and cyber-espionage operations. The label may cover related but not identical activity, and attribution can change as technical evidence is reassessed. Public reporting has connected the name to incidents involving credential theft, malicious software, theft of funds, and disruptive attacks; those reports should not automatically be treated as proof that every campaign sharing similar tooling has the same operator.
For defenders, coverage under this tag is most useful when it identifies the initial access path, affected software, infrastructure, and evidence supporting attribution. Practical priorities include phishing-resistant multifactor authentication for privileged and remote access, prompt remediation of exploited internet-facing systems, application allowlisting for sensitive environments, and monitoring for unusual authentication, scripting, and outbound connections. During a suspected intrusion, preserve endpoint, identity, email, and network logs before containment changes evidence, then scope for stolen credentials and persistence across connected systems.
Weekly headline count for the current query.
The North Korean group is using stolen victim videos, AI-generated avatars, and fake Zoom calls to scale malware attacks against cryptocurrency executives.
Lazarus continues leveraging ClickFix for initial access and data theft: in this case, against Mac-centric organizations and their high-value leaders.
The North Korean threat group also leveraged Comebacker backdoor, Blindingcan RAT, and info stealer Infohook in its recent attacks.
Two campaigns targeting fintech execs and Web3 developers show the APT going cross-platform in financially motivated campaigns that use fake business collaboration and job recruitment lures.
The campaign is the latest effort by the North Korean threat actor to collect data of strategic interest to Pyongyang.
A continuation of the North Korean nation-state threat's campaign against employment seekers uses the social engineering attack to target CeFi organizations with the GolangGhost backdoor.
Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit. It was carried out by interfering with a routine transfer between wallets.
The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command and control servers from Pyongyang.
"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.
The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage.
The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.
The individual is part of a DPRK-backed group known as Andariel, which is known for using the 'Maui' ransomware strain to target and extort healthcare entities.
The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.
Lazarus, Kimsuky, and Andariel all got in on the action, stealing "important" data from firms responsible for defending their southern neighbors (from them).
North Korean state actors Lazarus Group used a Windows AppLocker zero day, along with a new and improved rootkit, in a recent cyberattack, researchers report.
The infamous vulnerability may be on the older side at this point, but North Korea's primo APT Lazarus is creating new, unique malware around it at a remarkable clip.
The prolific threat actor has laundered hundreds of millions of dollars in stolen virtual currency through the service.
Lazarus and its cohorts are switching loaders and other code between RustBucket and KandyKorn macOS malware to fool victims and researchers.
Kim Jong-Un's hackers are scraping the bottom of the barrel, using script kiddie-grade malware to steal devalued digital assets.
Posing as fellow engineers, the North Korean state-sponsored cybercrime group Lazarus tricked crypto-exchange developers into downloading the hard-to-detect malware.