The latest BlueNoroff campaign is characterized by a highly modular, cross-platform malware ecosystem and a complex social engineering pipeline. The attack chain unfolds as follows:

Initial access is achieved through spearphishing via Telegram or email, where attackers impersonate prominent figures in the cryptocurrency industry. Victims are invited to meetings via manipulated Calendly or Google Meet links, which redirect to typosquatted Zoom or Microsoft Teams domains under attacker control. During these fake meetings, AI-generated deepfake avatars and voices are used to impersonate company executives, increasing the credibility of the lure.

Victims are then instructed to download a malicious “Zoom…