Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

BlueNoroff, a North Korea-linked Lazarus Group subgroup, ran a large-scale spear-phishing campaign against 100+ cryptocurrency organizations in 20+ countries by using typosquatted Zoom and Microsoft Teams links, fake Calendly invites, and ClickFix clipboard-injection lures. The first confirmed intrusion at a North American cryptocurrency company began on January 23, 2026, and the execution chain moved from the initial click to compromise in under five minutes. Arctic Wolf says the actors maintained access for 66 days and used exfiltrated webcam footage to support follow-on deception. The campaign also involved over 80 typosquatted meeting domains and more than 950 files on attacker infrastructure tied to a self-sustaining deepfake pipeline.

Related Happenings

Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations

Campaign
First: 25.05.2026 12:32 Last: 25.05.2026 12:32 Sources 1

About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....

Open Happening

Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities

Campaign
First: 14.05.2026 17:00 Last: 14.05.2026 17:00 Sources 1

About this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...

Open Happening

Foxconn claimed data leak by Nitrogen ransomware group

Data Leak
First: 13.05.2026 20:13 Last: 13.05.2026 20:13 Sources 1

About this happening: The **Nitrogen ransomware group** claimed a **Foxconn data leak** involving **8TB** and more than **11 million files**, raising the risk that confidential manufacturing material t...

Open Happening

ScarCruft sqgame[.]net supply-chain espionage campaign

Campaign
First: 05.05.2026 12:07 Last: 05.05.2026 12:07 Sources 1

About this happening: **ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

Timeline

  1. 11.02.2026 00:17 3 articles · 3mo ago

    UNC1069 crypto campaign with AI-generated video and ClickFix

    Initial Disclosure

    North Korean hackers linked to UNC1069 targeted cryptocurrency-sector victims and a fintech company with a social-engineering campaign that began on Telegram from a compromised executive account, moved through a Calendly link to a spoofed Zoom page, and used a fake CEO deepfake video to prompt the victim to run troubleshooting commands that started the infection chain on Windows and macOS; Mandiant also found AppleScript execution, a malicious Mach-O binary, and seven distinct macOS malware families including WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH.

    Show sources
    Open in new tab