BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
Campaign
Summary
Hide ▲
Show ▼
BlueNoroff, a North Korea-linked Lazarus Group subgroup, ran a large-scale spear-phishing campaign against 100+ cryptocurrency organizations in 20+ countries by using typosquatted Zoom and Microsoft Teams links, fake Calendly invites, and ClickFix clipboard-injection lures. The first confirmed intrusion at a North American cryptocurrency company began on January 23, 2026, and the execution chain moved from the initial click to compromise in under five minutes. Arctic Wolf says the actors maintained access for 66 days and used exfiltrated webcam footage to support follow-on deception. The campaign also involved over 80 typosquatted meeting domains and more than 950 files on attacker infrastructure tied to a self-sustaining deepfake pipeline.
Related Happenings
Operation Endgame international cybercrime disruption initiative
Public Sector Action
H score57
First: 19.06.2026 18:07
Last: 19.06.2026 18:07
Sources 1
About this happening:
**Operation Endgame** is an **ongoing international law enforcement initiative** that now includes the takedown of **SocGholish** infrastructure, expanding disruption of botnets a...
Operation Endgame international cybercrime disruption initiative
Public Sector ActionAbout this happening: **Operation Endgame** is an **ongoing international law enforcement initiative** that now includes the takedown of **SocGholish** infrastructure, expanding disruption of botnets a...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
UNC6508 China-linked REDCap espionage campaign
Campaign
H score39
First: 15.06.2026 17:00
Last: 15.06.2026 17:00
Sources 1
About this happening:
**UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
UNC6508 China-linked REDCap espionage campaign
CampaignAbout this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
Campaign
H score38
First: 25.05.2026 12:32
Last: 25.05.2026 12:32
Sources 1
About this happening:
The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
CampaignAbout this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
Timeline
-
11.02.2026 00:17 3 articles · 4mo ago
UNC1069 crypto campaign with AI-generated video and ClickFix
Initial DisclosureNorth Korean hackers linked to UNC1069 targeted cryptocurrency-sector victims and a fintech company with a social-engineering campaign that began on Telegram from a compromised executive account, moved through a Calendly link to a spoofed Zoom page, and used a fake CEO deepfake video to prompt the victim to run troubleshooting commands that started the infection chain on Windows and macOS; Mandiant also found AppleScript execution, a malicious Mach-O binary, and seven distinct macOS malware families including WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH.
Show sources
- North Korean hackers use new macOS malware in crypto-theft attacks — www.bleepingcomputer.com — 11.02.2026 00:17
- North Korean hackers use new macOS malware in crypto-theft attacks — www.bleepingcomputer.com — 11.02.2026 00:17
- North Korean Hackers Target Crypto Firms with ClickFix and AI-Made Zoom Lures — www.infosecurity-magazine.com — 28.04.2026 11:00