Find notable cyber news and cases, enriched with sources, timelines, and signals.

BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms

Campaign
First reported
Last updated
Happening score
H score 33
2 unique sources, 2 articles

Summary

Hide ▲

BlueNoroff, a North Korea-linked Lazarus Group subgroup, ran a large-scale spear-phishing campaign against 100+ cryptocurrency organizations in 20+ countries by using typosquatted Zoom and Microsoft Teams links, fake Calendly invites, and ClickFix clipboard-injection lures. The first confirmed intrusion at a North American cryptocurrency company began on January 23, 2026, and the execution chain moved from the initial click to compromise in under five minutes. Arctic Wolf says the actors maintained access for 66 days and used exfiltrated webcam footage to support follow-on deception. The campaign also involved over 80 typosquatted meeting domains and more than 950 files on attacker infrastructure tied to a self-sustaining deepfake pipeline.

Related Happenings

Operation Endgame international cybercrime disruption initiative

Public Sector Action
H score57 First: 19.06.2026 18:07 Last: 19.06.2026 18:07 Sources 1

About this happening: **Operation Endgame** is an **ongoing international law enforcement initiative** that now includes the takedown of **SocGholish** infrastructure, expanding disruption of botnets a...

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

UNC6508 China-linked REDCap espionage campaign

Campaign
H score39 First: 15.06.2026 17:00 Last: 15.06.2026 17:00 Sources 1

About this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations

Campaign
H score38 First: 25.05.2026 12:32 Last: 25.05.2026 12:32 Sources 1

About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....

Timeline

  1. 11.02.2026 00:17 3 articles · 4mo ago

    UNC1069 crypto campaign with AI-generated video and ClickFix

    Initial Disclosure

    North Korean hackers linked to UNC1069 targeted cryptocurrency-sector victims and a fintech company with a social-engineering campaign that began on Telegram from a compromised executive account, moved through a Calendly link to a spoofed Zoom page, and used a fake CEO deepfake video to prompt the victim to run troubleshooting commands that started the infection chain on Windows and macOS; Mandiant also found AppleScript execution, a malicious Mach-O binary, and seven distinct macOS malware families including WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH.

    Show sources